Skip to content

T
terraform-aws-vpc
Commit 44e6eaa1 authored by Tomasz Charewicz's avatar Tomasz Charewicz Committed by GitHub
Browse files
Options

feat!: Support enabling NAU metrics in "aws_vpc" resource (#838) 

Co-authored-by: default avatarTomasz Charewicz <tomasz.charewicz@ringieraxelspringer.pl>
Co-authored-by: default avatarAnton Babenko <anton@antonbabenko.com>
Co-authored-by: default avatarBryant Biggs <bryantbiggs@gmail.com>
parent 7010e70b
Show whitespace changes
Inline Side-by-side
Showing with 3301 additions and 1854 deletions
.pre-commit-config.yaml
View file @ 44e6eaa1
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0
rev: v1.77.1
hooks:
- id: terraform_fmt
- id: terraform_validate
......
README.md
View file @ 44e6eaa1
......@@ -231,15 +231,17 @@ module "vpc_cidr_from_ipam" {
## Examples
- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc)
- [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks)
- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) with VPC Endpoints.
- [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6)
- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete) with VPC Endpoints.
- [VPC using IPAM](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipam)
- [Dualstack IPv4/IPv6 VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6-dualstack)
- [IPv6 only subnets/VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6-only)
- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc)
- [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls)
- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs)
- [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost)
- [VPC CIDR from IPAM](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipam-vpc)
- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc)
- [VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks)
- [VPC with unique route tables](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/separate-route-tables)
- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple)
- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs)
- [Few tests and edge case examples](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issues)
## Contributing
......@@ -253,14 +255,14 @@ Full contributing [guidelines are covered here](.github/contributing.md).
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -352,38 +354,43 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
| <a name="input_assign_ipv6_address_on_creation"></a> [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
| <a name="input_amazon_side_asn"></a> [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN | `string` | `"64512"` | no |
| <a name="input_azs"></a> [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"0.0.0.0/0"` | no |
| <a name="input_cidr"></a> [cidr](#input\_cidr) | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id` | `string` | `"10.0.0.0/16"` | no |
| <a name="input_create_database_internet_gateway_route"></a> [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no |
| <a name="input_create_database_nat_gateway_route"></a> [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no |
| <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no |
| <a name="input_create_database_subnet_route_table"></a> [create\_database\_subnet\_route\_table](#input\_create\_database\_subnet\_route\_table) | Controls if separate route table for database should be created | `bool` | `false` | no |
| <a name="input_create_egress_only_igw"></a> [create\_egress\_only\_igw](#input\_create\_egress\_only\_igw) | Controls if an Egress Only Internet Gateway is created and its related routes. | `bool` | `true` | no |
| <a name="input_create_egress_only_igw"></a> [create\_egress\_only\_igw](#input\_create\_egress\_only\_igw) | Controls if an Egress Only Internet Gateway is created and its related routes | `bool` | `true` | no |
| <a name="input_create_elasticache_subnet_group"></a> [create\_elasticache\_subnet\_group](#input\_create\_elasticache\_subnet\_group) | Controls if elasticache subnet group should be created | `bool` | `true` | no |
| <a name="input_create_elasticache_subnet_route_table"></a> [create\_elasticache\_subnet\_route\_table](#input\_create\_elasticache\_subnet\_route\_table) | Controls if separate route table for elasticache should be created | `bool` | `false` | no |
| <a name="input_create_flow_log_cloudwatch_iam_role"></a> [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no |
| <a name="input_create_flow_log_cloudwatch_log_group"></a> [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no |
| <a name="input_create_igw"></a> [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | `bool` | `true` | no |
| <a name="input_create_igw"></a> [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them | `bool` | `true` | no |
| <a name="input_create_redshift_subnet_group"></a> [create\_redshift\_subnet\_group](#input\_create\_redshift\_subnet\_group) | Controls if redshift subnet group should be created | `bool` | `true` | no |
| <a name="input_create_redshift_subnet_route_table"></a> [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no |
| <a name="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no |
| <a name="input_customer_gateway_tags"></a> [customer\_gateway\_tags](#input\_customer\_gateway\_tags) | Additional tags for the Customer Gateway | `map(string)` | `{}` | no |
| <a name="input_customer_gateways"></a> [customer\_gateways](#input\_customer\_gateways) | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | `map(map(any))` | `{}` | no |
| <a name="input_customer_owned_ipv4_pool"></a> [customer\_owned\_ipv4\_pool](#input\_customer\_owned\_ipv4\_pool) | The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured | `string` | `null` | no |
| <a name="input_database_acl_tags"></a> [database\_acl\_tags](#input\_database\_acl\_tags) | Additional tags for the database subnets network ACL | `map(string)` | `{}` | no |
| <a name="input_database_dedicated_network_acl"></a> [database\_dedicated\_network\_acl](#input\_database\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for database subnets | `bool` | `false` | no |
| <a name="input_database_inbound_acl_rules"></a> [database\_inbound\_acl\_rules](#input\_database\_inbound\_acl\_rules) | Database subnets inbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_database_outbound_acl_rules"></a> [database\_outbound\_acl\_rules](#input\_database\_outbound\_acl\_rules) | Database subnets outbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_database_route_table_tags"></a> [database\_route\_table\_tags](#input\_database\_route\_table\_tags) | Additional tags for the database route tables | `map(string)` | `{}` | no |
| <a name="input_database_subnet_assign_ipv6_address_on_creation"></a> [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_database_subnet_assign_ipv6_address_on_creation"></a> [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_database_subnet_enable_dns64"></a> [database\_subnet\_enable\_dns64](#input\_database\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_database_subnet_enable_resource_name_dns_a_record_on_launch"></a> [database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_database_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [database\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_database\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_database_subnet_group_name"></a> [database\_subnet\_group\_name](#input\_database\_subnet\_group\_name) | Name of database subnet group | `string` | `null` | no |
| <a name="input_database_subnet_group_tags"></a> [database\_subnet\_group\_tags](#input\_database\_subnet\_group\_tags) | Additional tags for the database subnet group | `map(string)` | `{}` | no |
| <a name="input_database_subnet_ipv6_native"></a> [database\_subnet\_ipv6\_native](#input\_database\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_database_subnet_ipv6_prefixes"></a> [database\_subnet\_ipv6\_prefixes](#input\_database\_subnet\_ipv6\_prefixes) | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_database_subnet_names"></a> [database\_subnet\_names](#input\_database\_subnet\_names) | Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_database_subnet_names"></a> [database\_subnet\_names](#input\_database\_subnet\_names) | Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_database_subnet_private_dns_hostname_type_on_launch"></a> [database\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_database\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_database_subnet_suffix"></a> [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no |
| <a name="input_database_subnet_tags"></a> [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no |
| <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | A list of database subnets | `list(string)` | `[]` | no |
| <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | A list of database subnets inside the VPC | `list(string)` | `[]` | no |
| <a name="input_default_network_acl_egress"></a> [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br> {<br> "action": "allow",<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_no": 100,<br> "to_port": 0<br> },<br> {<br> "action": "allow",<br> "from_port": 0,<br> "ipv6_cidr_block": "::/0",<br> "protocol": "-1",<br> "rule_no": 101,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_default_network_acl_ingress"></a> [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br> {<br> "action": "allow",<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_no": 100,<br> "to_port": 0<br> },<br> {<br> "action": "allow",<br> "from_port": 0,<br> "ipv6_cidr_block": "::/0",<br> "protocol": "-1",<br> "rule_no": 101,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_default_network_acl_name"></a> [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `null` | no |
......@@ -396,8 +403,7 @@ No modules.
| <a name="input_default_security_group_ingress"></a> [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no |
| <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `null` | no |
| <a name="input_default_security_group_tags"></a> [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(string)` | `{}` | no |
| <a name="input_default_vpc_enable_classiclink"></a> [default\_vpc\_enable\_classiclink](#input\_default\_vpc\_enable\_classiclink) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink in the Default VPC | `bool` | `false` | no |
| <a name="input_default_vpc_enable_dns_hostnames"></a> [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `false` | no |
| <a name="input_default_vpc_enable_dns_hostnames"></a> [default\_vpc\_enable\_dns\_hostnames](#input\_default\_vpc\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the Default VPC | `bool` | `true` | no |
| <a name="input_default_vpc_enable_dns_support"></a> [default\_vpc\_enable\_dns\_support](#input\_default\_vpc\_enable\_dns\_support) | Should be true to enable DNS support in the Default VPC | `bool` | `true` | no |
| <a name="input_default_vpc_name"></a> [default\_vpc\_name](#input\_default\_vpc\_name) | Name to be used on the Default VPC | `string` | `null` | no |
| <a name="input_default_vpc_tags"></a> [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no |
......@@ -412,39 +418,43 @@ No modules.
| <a name="input_elasticache_inbound_acl_rules"></a> [elasticache\_inbound\_acl\_rules](#input\_elasticache\_inbound\_acl\_rules) | Elasticache subnets inbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_elasticache_outbound_acl_rules"></a> [elasticache\_outbound\_acl\_rules](#input\_elasticache\_outbound\_acl\_rules) | Elasticache subnets outbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_elasticache_route_table_tags"></a> [elasticache\_route\_table\_tags](#input\_elasticache\_route\_table\_tags) | Additional tags for the elasticache route tables | `map(string)` | `{}` | no |
| <a name="input_elasticache_subnet_assign_ipv6_address_on_creation"></a> [elasticache\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_elasticache\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_elasticache_subnet_assign_ipv6_address_on_creation"></a> [elasticache\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_elasticache\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_elasticache_subnet_enable_dns64"></a> [elasticache\_subnet\_enable\_dns64](#input\_elasticache\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_elasticache_subnet_enable_resource_name_dns_a_record_on_launch"></a> [elasticache\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_elasticache\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [elasticache\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_elasticache\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_elasticache_subnet_group_name"></a> [elasticache\_subnet\_group\_name](#input\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group | `string` | `null` | no |
| <a name="input_elasticache_subnet_group_tags"></a> [elasticache\_subnet\_group\_tags](#input\_elasticache\_subnet\_group\_tags) | Additional tags for the elasticache subnet group | `map(string)` | `{}` | no |
| <a name="input_elasticache_subnet_ipv6_native"></a> [elasticache\_subnet\_ipv6\_native](#input\_elasticache\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_elasticache_subnet_ipv6_prefixes"></a> [elasticache\_subnet\_ipv6\_prefixes](#input\_elasticache\_subnet\_ipv6\_prefixes) | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_elasticache_subnet_names"></a> [elasticache\_subnet\_names](#input\_elasticache\_subnet\_names) | Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_elasticache_subnet_names"></a> [elasticache\_subnet\_names](#input\_elasticache\_subnet\_names) | Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_elasticache_subnet_private_dns_hostname_type_on_launch"></a> [elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_elasticache_subnet_suffix"></a> [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
| <a name="input_elasticache_subnet_tags"></a> [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
| <a name="input_elasticache_subnets"></a> [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets | `list(string)` | `[]` | no |
| <a name="input_enable_classiclink"></a> [enable\_classiclink](#input\_enable\_classiclink) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
| <a name="input_enable_classiclink_dns_support"></a> [enable\_classiclink\_dns\_support](#input\_enable\_classiclink\_dns\_support) | [DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
| <a name="input_elasticache_subnets"></a> [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets inside the VPC | `list(string)` | `[]` | no |
| <a name="input_enable_dhcp_options"></a> [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no |
| <a name="input_enable_dns_hostnames"></a> [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `false` | no |
| <a name="input_enable_dns_hostnames"></a> [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `true` | no |
| <a name="input_enable_dns_support"></a> [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the VPC | `bool` | `true` | no |
| <a name="input_enable_flow_log"></a> [enable\_flow\_log](#input\_enable\_flow\_log) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
| <a name="input_enable_ipv6"></a> [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
| <a name="input_enable_ipv6"></a> [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | `bool` | `false` | no |
| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
| <a name="input_enable_network_address_usage_metrics"></a> [enable\_network\_address\_usage\_metrics](#input\_enable\_network\_address\_usage\_metrics) | Determines whether network address usage metrics are enabled for the VPC | `bool` | `null` | no |
| <a name="input_enable_public_redshift"></a> [enable\_public\_redshift](#input\_enable\_public\_redshift) | Controls if redshift should have public routing table | `bool` | `false` | no |
| <a name="input_enable_vpn_gateway"></a> [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no |
| <a name="input_external_nat_ip_ids"></a> [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no |
| <a name="input_external_nat_ips"></a> [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no |
| <a name="input_flow_log_cloudwatch_iam_role_arn"></a> [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_kms_key_id"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | `string` | `null` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_prefix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | `string` | `"/aws/vpc-flow-log/"` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_suffix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs. | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
| <a name="input_flow_log_destination_arn"></a> [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided. | `string` | `""` | no |
| <a name="input_flow_log_destination_type"></a> [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs. | `string` | `"cloud-watch-logs"` | no |
| <a name="input_flow_log_file_format"></a> [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet`. | `string` | `"plain-text"` | no |
| <a name="input_flow_log_hive_compatible_partitions"></a> [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | `bool` | `false` | no |
| <a name="input_flow_log_log_format"></a> [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear. | `string` | `null` | no |
| <a name="input_flow_log_max_aggregation_interval"></a> [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `600` | no |
| <a name="input_flow_log_per_hour_partition"></a> [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. | `bool` | `false` | no |
| <a name="input_flow_log_traffic_type"></a> [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | `string` | `"ALL"` | no |
| <a name="input_flow_log_cloudwatch_iam_role_arn"></a> [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_kms_key_id"></a> [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_prefix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no |
| <a name="input_flow_log_cloudwatch_log_group_name_suffix"></a> [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no |
| <a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no |
| <a name="input_flow_log_destination_arn"></a> [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no |
| <a name="input_flow_log_destination_type"></a> [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
| <a name="input_flow_log_file_format"></a> [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no |
| <a name="input_flow_log_hive_compatible_partitions"></a> [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no |
| <a name="input_flow_log_log_format"></a> [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no |
| <a name="input_flow_log_max_aggregation_interval"></a> [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds | `number` | `600` | no |
| <a name="input_flow_log_per_hour_partition"></a> [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | `bool` | `false` | no |
| <a name="input_flow_log_traffic_type"></a> [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no |
| <a name="input_igw_tags"></a> [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no |
| <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no |
| <a name="input_intra_acl_tags"></a> [intra\_acl\_tags](#input\_intra\_acl\_tags) | Additional tags for the intra subnets network ACL | `map(string)` | `{}` | no |
......@@ -452,36 +462,48 @@ No modules.
| <a name="input_intra_inbound_acl_rules"></a> [intra\_inbound\_acl\_rules](#input\_intra\_inbound\_acl\_rules) | Intra subnets inbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_intra_outbound_acl_rules"></a> [intra\_outbound\_acl\_rules](#input\_intra\_outbound\_acl\_rules) | Intra subnets outbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_intra_route_table_tags"></a> [intra\_route\_table\_tags](#input\_intra\_route\_table\_tags) | Additional tags for the intra route tables | `map(string)` | `{}` | no |
| <a name="input_intra_subnet_assign_ipv6_address_on_creation"></a> [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_intra_subnet_assign_ipv6_address_on_creation"></a> [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_intra_subnet_enable_dns64"></a> [intra\_subnet\_enable\_dns64](#input\_intra\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_intra_subnet_enable_resource_name_dns_a_record_on_launch"></a> [intra\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_intra\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_intra_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [intra\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_intra\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_intra_subnet_ipv6_native"></a> [intra\_subnet\_ipv6\_native](#input\_intra\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_intra_subnet_ipv6_prefixes"></a> [intra\_subnet\_ipv6\_prefixes](#input\_intra\_subnet\_ipv6\_prefixes) | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_intra_subnet_names"></a> [intra\_subnet\_names](#input\_intra\_subnet\_names) | Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_intra_subnet_names"></a> [intra\_subnet\_names](#input\_intra\_subnet\_names) | Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_intra_subnet_private_dns_hostname_type_on_launch"></a> [intra\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_intra\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_intra_subnet_suffix"></a> [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no |
| <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
| <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no |
| <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no |
| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id. | `number` | `null` | no |
| <a name="input_ipv6_cidr"></a> [ipv6\_cidr](#input\_ipv6\_cidr) | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`. | `string` | `null` | no |
| <a name="input_ipv6_ipam_pool_id"></a> [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`. | `string` | `null` | no |
| <a name="input_ipv6_netmask_length"></a> [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`. | `number` | `null` | no |
| <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no |
| <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no |
| <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no |
| <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets inside the VPC | `list(string)` | `[]` | no |
| <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR | `string` | `null` | no |
| <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id | `number` | `null` | no |
| <a name="input_ipv6_cidr"></a> [ipv6\_cidr](#input\_ipv6\_cidr) | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length` | `string` | `null` | no |
| <a name="input_ipv6_cidr_block_network_border_group"></a> [ipv6\_cidr\_block\_network\_border\_group](#input\_ipv6\_cidr\_block\_network\_border\_group) | By default when an IPv6 CIDR is assigned to a VPC a default ipv6\_cidr\_block\_network\_border\_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones | `string` | `null` | no |
| <a name="input_ipv6_ipam_pool_id"></a> [ipv6\_ipam\_pool\_id](#input\_ipv6\_ipam\_pool\_id) | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block` | `string` | `null` | no |
| <a name="input_ipv6_netmask_length"></a> [ipv6\_netmask\_length](#input\_ipv6\_netmask\_length) | (Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56` | `number` | `null` | no |
| <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `true` | no |
| <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `true` | no |
| <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `true` | no |
| <a name="input_manage_default_vpc"></a> [manage\_default\_vpc](#input\_manage\_default\_vpc) | Should be true to adopt and manage Default VPC | `bool` | `false` | no |
| <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no |
| <a name="input_map_customer_owned_ip_on_launch"></a> [map\_customer\_owned\_ip\_on\_launch](#input\_map\_customer\_owned\_ip\_on\_launch) | Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false` | `bool` | `false` | no |
| <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no |
| <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
| <a name="input_nat_eip_tags"></a> [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no |
| <a name="input_nat_gateway_destination_cidr_block"></a> [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route. | `string` | `"0.0.0.0/0"` | no |
| <a name="input_nat_gateway_destination_cidr_block"></a> [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | `string` | `"0.0.0.0/0"` | no |
| <a name="input_nat_gateway_tags"></a> [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no |
| <a name="input_one_nat_gateway_per_az"></a> [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | `bool` | `false` | no |
| <a name="input_one_nat_gateway_per_az"></a> [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs` | `bool` | `false` | no |
| <a name="input_outpost_acl_tags"></a> [outpost\_acl\_tags](#input\_outpost\_acl\_tags) | Additional tags for the outpost subnets network ACL | `map(string)` | `{}` | no |
| <a name="input_outpost_arn"></a> [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in. | `string` | `null` | no |
| <a name="input_outpost_az"></a> [outpost\_az](#input\_outpost\_az) | AZ where Outpost is anchored. | `string` | `null` | no |
| <a name="input_outpost_arn"></a> [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in | `string` | `null` | no |
| <a name="input_outpost_az"></a> [outpost\_az](#input\_outpost\_az) | AZ where Outpost is anchored | `string` | `null` | no |
| <a name="input_outpost_dedicated_network_acl"></a> [outpost\_dedicated\_network\_acl](#input\_outpost\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for outpost subnets | `bool` | `false` | no |
| <a name="input_outpost_inbound_acl_rules"></a> [outpost\_inbound\_acl\_rules](#input\_outpost\_inbound\_acl\_rules) | Outpost subnets inbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_outpost_outbound_acl_rules"></a> [outpost\_outbound\_acl\_rules](#input\_outpost\_outbound\_acl\_rules) | Outpost subnets outbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_outpost_subnet_assign_ipv6_address_on_creation"></a> [outpost\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_outpost\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_outpost_subnet_assign_ipv6_address_on_creation"></a> [outpost\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_outpost\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_outpost_subnet_enable_dns64"></a> [outpost\_subnet\_enable\_dns64](#input\_outpost\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_outpost_subnet_enable_resource_name_dns_a_record_on_launch"></a> [outpost\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_outpost\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [outpost\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_outpost\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_outpost_subnet_ipv6_native"></a> [outpost\_subnet\_ipv6\_native](#input\_outpost\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_outpost_subnet_ipv6_prefixes"></a> [outpost\_subnet\_ipv6\_prefixes](#input\_outpost\_subnet\_ipv6\_prefixes) | Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_outpost_subnet_names"></a> [outpost\_subnet\_names](#input\_outpost\_subnet\_names) | Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_outpost_subnet_names"></a> [outpost\_subnet\_names](#input\_outpost\_subnet\_names) | Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_outpost_subnet_private_dns_hostname_type_on_launch"></a> [outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_outpost_subnet_suffix"></a> [outpost\_subnet\_suffix](#input\_outpost\_subnet\_suffix) | Suffix to append to outpost subnets name | `string` | `"outpost"` | no |
| <a name="input_outpost_subnet_tags"></a> [outpost\_subnet\_tags](#input\_outpost\_subnet\_tags) | Additional tags for the outpost subnets | `map(string)` | `{}` | no |
| <a name="input_outpost_subnets"></a> [outpost\_subnets](#input\_outpost\_subnets) | A list of outpost subnets inside the VPC | `list(string)` | `[]` | no |
......@@ -490,9 +512,14 @@ No modules.
| <a name="input_private_inbound_acl_rules"></a> [private\_inbound\_acl\_rules](#input\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_private_outbound_acl_rules"></a> [private\_outbound\_acl\_rules](#input\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_private_route_table_tags"></a> [private\_route\_table\_tags](#input\_private\_route\_table\_tags) | Additional tags for the private route tables | `map(string)` | `{}` | no |
| <a name="input_private_subnet_assign_ipv6_address_on_creation"></a> [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_private_subnet_assign_ipv6_address_on_creation"></a> [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_private_subnet_enable_dns64"></a> [private\_subnet\_enable\_dns64](#input\_private\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_private_subnet_enable_resource_name_dns_a_record_on_launch"></a> [private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_private_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [private\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_private_subnet_ipv6_native"></a> [private\_subnet\_ipv6\_native](#input\_private\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_private_subnet_ipv6_prefixes"></a> [private\_subnet\_ipv6\_prefixes](#input\_private\_subnet\_ipv6\_prefixes) | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_private_subnet_names"></a> [private\_subnet\_names](#input\_private\_subnet\_names) | Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_private_subnet_names"></a> [private\_subnet\_names](#input\_private\_subnet\_names) | Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_private_subnet_private_dns_hostname_type_on_launch"></a> [private\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_private\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_private_subnet_suffix"></a> [private\_subnet\_suffix](#input\_private\_subnet\_suffix) | Suffix to append to private subnets name | `string` | `"private"` | no |
| <a name="input_private_subnet_tags"></a> [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no |
| <a name="input_private_subnet_tags_per_az"></a> [private\_subnet\_tags\_per\_az](#input\_private\_subnet\_tags\_per\_az) | Additional tags for the private subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
......@@ -505,9 +532,14 @@ No modules.
| <a name="input_public_inbound_acl_rules"></a> [public\_inbound\_acl\_rules](#input\_public\_inbound\_acl\_rules) | Public subnets inbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_public_outbound_acl_rules"></a> [public\_outbound\_acl\_rules](#input\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_public_route_table_tags"></a> [public\_route\_table\_tags](#input\_public\_route\_table\_tags) | Additional tags for the public route tables | `map(string)` | `{}` | no |
| <a name="input_public_subnet_assign_ipv6_address_on_creation"></a> [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_public_subnet_assign_ipv6_address_on_creation"></a> [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_public_subnet_enable_dns64"></a> [public\_subnet\_enable\_dns64](#input\_public\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_public_subnet_enable_resource_name_dns_a_record_on_launch"></a> [public\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_public\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_public_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [public\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_public\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_public_subnet_ipv6_native"></a> [public\_subnet\_ipv6\_native](#input\_public\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_public_subnet_ipv6_prefixes"></a> [public\_subnet\_ipv6\_prefixes](#input\_public\_subnet\_ipv6\_prefixes) | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_public_subnet_names"></a> [public\_subnet\_names](#input\_public\_subnet\_names) | Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_public_subnet_names"></a> [public\_subnet\_names](#input\_public\_subnet\_names) | Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_public_subnet_private_dns_hostname_type_on_launch"></a> [public\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_public\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_public_subnet_suffix"></a> [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no |
| <a name="input_public_subnet_tags"></a> [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no |
| <a name="input_public_subnet_tags_per_az"></a> [public\_subnet\_tags\_per\_az](#input\_public\_subnet\_tags\_per\_az) | Additional tags for the public subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
......@@ -518,14 +550,19 @@ No modules.
| <a name="input_redshift_inbound_acl_rules"></a> [redshift\_inbound\_acl\_rules](#input\_redshift\_inbound\_acl\_rules) | Redshift subnets inbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_redshift_outbound_acl_rules"></a> [redshift\_outbound\_acl\_rules](#input\_redshift\_outbound\_acl\_rules) | Redshift subnets outbound network ACL rules | `list(map(string))` | <pre>[<br> {<br> "cidr_block": "0.0.0.0/0",<br> "from_port": 0,<br> "protocol": "-1",<br> "rule_action": "allow",<br> "rule_number": 100,<br> "to_port": 0<br> }<br>]</pre> | no |
| <a name="input_redshift_route_table_tags"></a> [redshift\_route\_table\_tags](#input\_redshift\_route\_table\_tags) | Additional tags for the redshift route tables | `map(string)` | `{}` | no |
| <a name="input_redshift_subnet_assign_ipv6_address_on_creation"></a> [redshift\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_redshift\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
| <a name="input_redshift_subnet_assign_ipv6_address_on_creation"></a> [redshift\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_redshift\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| <a name="input_redshift_subnet_enable_dns64"></a> [redshift\_subnet\_enable\_dns64](#input\_redshift\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| <a name="input_redshift_subnet_enable_resource_name_dns_a_record_on_launch"></a> [redshift\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_redshift\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
| <a name="input_redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> [redshift\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch](#input\_redshift\_subnet\_enable\_resource\_name\_dns\_aaaa\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true` | `bool` | `true` | no |
| <a name="input_redshift_subnet_group_name"></a> [redshift\_subnet\_group\_name](#input\_redshift\_subnet\_group\_name) | Name of redshift subnet group | `string` | `null` | no |
| <a name="input_redshift_subnet_group_tags"></a> [redshift\_subnet\_group\_tags](#input\_redshift\_subnet\_group\_tags) | Additional tags for the redshift subnet group | `map(string)` | `{}` | no |
| <a name="input_redshift_subnet_ipv6_native"></a> [redshift\_subnet\_ipv6\_native](#input\_redshift\_subnet\_ipv6\_native) | Indicates whether to create an IPv6-only subnet. Default: `false` | `bool` | `false` | no |
| <a name="input_redshift_subnet_ipv6_prefixes"></a> [redshift\_subnet\_ipv6\_prefixes](#input\_redshift\_subnet\_ipv6\_prefixes) | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| <a name="input_redshift_subnet_names"></a> [redshift\_subnet\_names](#input\_redshift\_subnet\_names) | Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| <a name="input_redshift_subnet_names"></a> [redshift\_subnet\_names](#input\_redshift\_subnet\_names) | Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated | `list(string)` | `[]` | no |
| <a name="input_redshift_subnet_private_dns_hostname_type_on_launch"></a> [redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| <a name="input_redshift_subnet_suffix"></a> [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
| <a name="input_redshift_subnet_tags"></a> [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
| <a name="input_redshift_subnets"></a> [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets | `list(string)` | `[]` | no |
| <a name="input_redshift_subnets"></a> [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no |
| <a name="input_reuse_nat_ips"></a> [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
| <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
| <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
......
UPGRADE-4.0.md 0 → 100644
View file @ 44e6eaa1
# Upgrade from v3.x to v4.x
If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/) directory:
If you find a bug, please open an issue with supporting configuration to reproduce.
## List of backwards incompatible changes
- The minimum required Terraform version is now 1.0
- The minimum required AWS provider version is now 4.x (4.35.0 at time of writing)
- `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`)
- `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
- `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
## Additional changes
### Modified
- `map_public_ip_on_launch` now defaults to `false`
- `enable_dns_hostnames` now defaults to `true`
- `enable_dns_support` now defaults to `true`
- `manage_default_security_group` now defaults to `true`
- `manage_default_route_table` now defaults to `true`
- `manage_default_network_acl` now defaults to `true`
- The default name for the default security group, route table, and network ACL has changed to fallback to append `-default` to the VPC name if a specific name is not provided
- The default fallback value for outputs has changed from an empty string to `null`
### Variable and output changes
1. Removed variables:
- `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`)
- `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
- `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
2. Renamed variables:
- None
3. Added variables:
- VPC
- `ipv6_cidr_block_network_border_group`
- `enable_network_address_usage_metrics`
- Subnets
- `*_subnet_enable_dns64` for each subnet type
- `*_subnet_enable_resource_name_dns_aaaa_record_on_launch` for each subnet type
- `*_subnet_enable_resource_name_dns_a_record_on_launch` for each subnet type
- `*_subnet_ipv6_native` for each subnet type
- `*_subnet_private_dns_hostname_type_on_launch` for each subnet type
4. Removed outputs:
- None
5. Renamed outputs:
- None
6. Added outputs:
- None
### State Changes
None
examples/complete-vpc/README.md examples/complete/README.md
View file @ 44e6eaa1
......@@ -21,14 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -43,6 +43,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Type |
|------|------|
| [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
......
examples/complete-vpc/main.tf examples/complete/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -21,15 +26,15 @@ module "vpc" {
source = "../../"
name = local.name
cidr = "10.0.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24", "10.0.33.0/24"]
redshift_subnets = ["10.0.41.0/24", "10.0.42.0/24", "10.0.43.0/24"]
intra_subnets = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)]
redshift_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)]
intra_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)]
private_subnet_names = ["Private Subnet One", "Private Subnet Two"]
# public_subnet_names omitted to show default name generation for all three subnets
......@@ -39,15 +44,9 @@ module "vpc" {
intra_subnet_names = []
create_database_subnet_group = false
manage_default_network_acl = true
default_network_acl_tags = { Name = "${local.name}-default" }
manage_default_route_table = true
default_route_table_tags = { Name = "${local.name}-default" }
manage_default_security_group = true
default_security_group_tags = { Name = "${local.name}-default" }
manage_default_network_acl = false
manage_default_route_table = false
manage_default_security_group = false
enable_dns_hostnames = true
enable_dns_support = true
......
examples/complete-vpc/versions.tf examples/complete/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/ipam-vpc/README.md examples/ipam/README.md
View file @ 44e6eaa1
......@@ -29,14 +29,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -54,6 +54,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| [aws_vpc_ipam_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
| [aws_vpc_ipam_pool_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |
| [aws_vpc_ipam_preview_next_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_preview_next_cidr) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/ipam-vpc/main.tf examples/ipam/main.tf
View file @ 44e6eaa1
......@@ -2,11 +2,13 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
azs = slice(data.aws_availability_zones.available.names, 0, 3)
preview_partition = cidrsubnets(aws_vpc_ipam_preview_next_cidr.this.cidr, 2, 2, 2)
tags = {
......
examples/ipam-vpc/versions.tf examples/ipam/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/ipv6/README.md examples/ipv6-dualstack/README.md
View file @ 44e6eaa1
......@@ -19,12 +19,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -34,7 +36,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/ipv6/main.tf examples/ipv6-dualstack/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -20,13 +25,13 @@ locals {
module "vpc" {
source = "../.."
name = "ipv6"
cidr = "10.0.0.0/16"
name = local.name
cidr = local.vpc_cidr
azs = ["${local.region}a", "${local.region}b"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
database_subnets = ["10.0.103.0/24", "10.0.104.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
enable_nat_gateway = false
......@@ -34,13 +39,11 @@ module "vpc" {
create_database_internet_gateway_route = true
enable_ipv6 = true
assign_ipv6_address_on_creation = true
private_subnet_assign_ipv6_address_on_creation = false
public_subnet_assign_ipv6_address_on_creation = true
public_subnet_ipv6_prefixes = [0, 1]
private_subnet_ipv6_prefixes = [2, 3]
database_subnet_ipv6_prefixes = [4, 5]
public_subnet_ipv6_prefixes = [0, 1, 2]
private_subnet_ipv6_prefixes = [3, 4, 5]
database_subnet_ipv6_prefixes = [6, 7, 8]
tags = local.tags
}
examples/ipv6/versions.tf examples/ipv6-dualstack/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/ipv6-only/README.md 0 → 100644
View file @ 44e6eaa1
# IPv6 Only VPC
Configuration in this directory creates set of VPC resources with IPv6 only enabled on VPC and subnets.
## Usage
To run this example you need to execute:
```bash
$ terraform init
$ terraform plan
$ terraform apply
```
Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../.. | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
No inputs.
## Outputs
| Name | Description |
|------|-------------|
| <a name="output_cgw_arns"></a> [cgw\_arns](#output\_cgw\_arns) | List of ARNs of Customer Gateway |
| <a name="output_cgw_ids"></a> [cgw\_ids](#output\_cgw\_ids) | List of IDs of Customer Gateway |
| <a name="output_database_internet_gateway_route_id"></a> [database\_internet\_gateway\_route\_id](#output\_database\_internet\_gateway\_route\_id) | ID of the database internet gateway route |
| <a name="output_database_ipv6_egress_route_id"></a> [database\_ipv6\_egress\_route\_id](#output\_database\_ipv6\_egress\_route\_id) | ID of the database IPv6 egress route |
| <a name="output_database_nat_gateway_route_ids"></a> [database\_nat\_gateway\_route\_ids](#output\_database\_nat\_gateway\_route\_ids) | List of IDs of the database nat gateway route |
| <a name="output_database_network_acl_arn"></a> [database\_network\_acl\_arn](#output\_database\_network\_acl\_arn) | ARN of the database network ACL |
| <a name="output_database_network_acl_id"></a> [database\_network\_acl\_id](#output\_database\_network\_acl\_id) | ID of the database network ACL |
| <a name="output_database_route_table_association_ids"></a> [database\_route\_table\_association\_ids](#output\_database\_route\_table\_association\_ids) | List of IDs of the database route table association |
| <a name="output_database_route_table_ids"></a> [database\_route\_table\_ids](#output\_database\_route\_table\_ids) | List of IDs of database route tables |
| <a name="output_database_subnet_arns"></a> [database\_subnet\_arns](#output\_database\_subnet\_arns) | List of ARNs of database subnets |
| <a name="output_database_subnet_group"></a> [database\_subnet\_group](#output\_database\_subnet\_group) | ID of database subnet group |
| <a name="output_database_subnet_group_name"></a> [database\_subnet\_group\_name](#output\_database\_subnet\_group\_name) | Name of database subnet group |
| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
| <a name="output_database_subnets_cidr_blocks"></a> [database\_subnets\_cidr\_blocks](#output\_database\_subnets\_cidr\_blocks) | List of cidr\_blocks of database subnets |
| <a name="output_database_subnets_ipv6_cidr_blocks"></a> [database\_subnets\_ipv6\_cidr\_blocks](#output\_database\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of database subnets in an IPv6 enabled VPC |
| <a name="output_default_network_acl_id"></a> [default\_network\_acl\_id](#output\_default\_network\_acl\_id) | The ID of the default network ACL |
| <a name="output_default_route_table_id"></a> [default\_route\_table\_id](#output\_default\_route\_table\_id) | The ID of the default route table |
| <a name="output_default_security_group_id"></a> [default\_security\_group\_id](#output\_default\_security\_group\_id) | The ID of the security group created by default on VPC creation |
| <a name="output_default_vpc_arn"></a> [default\_vpc\_arn](#output\_default\_vpc\_arn) | The ARN of the Default VPC |
| <a name="output_default_vpc_cidr_block"></a> [default\_vpc\_cidr\_block](#output\_default\_vpc\_cidr\_block) | The CIDR block of the Default VPC |
| <a name="output_default_vpc_default_network_acl_id"></a> [default\_vpc\_default\_network\_acl\_id](#output\_default\_vpc\_default\_network\_acl\_id) | The ID of the default network ACL of the Default VPC |
| <a name="output_default_vpc_default_route_table_id"></a> [default\_vpc\_default\_route\_table\_id](#output\_default\_vpc\_default\_route\_table\_id) | The ID of the default route table of the Default VPC |
| <a name="output_default_vpc_default_security_group_id"></a> [default\_vpc\_default\_security\_group\_id](#output\_default\_vpc\_default\_security\_group\_id) | The ID of the security group created by default on Default VPC creation |
| <a name="output_default_vpc_enable_dns_hostnames"></a> [default\_vpc\_enable\_dns\_hostnames](#output\_default\_vpc\_enable\_dns\_hostnames) | Whether or not the Default VPC has DNS hostname support |
| <a name="output_default_vpc_enable_dns_support"></a> [default\_vpc\_enable\_dns\_support](#output\_default\_vpc\_enable\_dns\_support) | Whether or not the Default VPC has DNS support |
| <a name="output_default_vpc_id"></a> [default\_vpc\_id](#output\_default\_vpc\_id) | The ID of the Default VPC |
| <a name="output_default_vpc_instance_tenancy"></a> [default\_vpc\_instance\_tenancy](#output\_default\_vpc\_instance\_tenancy) | Tenancy of instances spin up within Default VPC |
| <a name="output_default_vpc_main_route_table_id"></a> [default\_vpc\_main\_route\_table\_id](#output\_default\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with the Default VPC |
| <a name="output_dhcp_options_id"></a> [dhcp\_options\_id](#output\_dhcp\_options\_id) | The ID of the DHCP options |
| <a name="output_egress_only_internet_gateway_id"></a> [egress\_only\_internet\_gateway\_id](#output\_egress\_only\_internet\_gateway\_id) | The ID of the egress only Internet Gateway |
| <a name="output_elasticache_network_acl_arn"></a> [elasticache\_network\_acl\_arn](#output\_elasticache\_network\_acl\_arn) | ARN of the elasticache network ACL |
| <a name="output_elasticache_network_acl_id"></a> [elasticache\_network\_acl\_id](#output\_elasticache\_network\_acl\_id) | ID of the elasticache network ACL |
| <a name="output_elasticache_route_table_association_ids"></a> [elasticache\_route\_table\_association\_ids](#output\_elasticache\_route\_table\_association\_ids) | List of IDs of the elasticache route table association |
| <a name="output_elasticache_route_table_ids"></a> [elasticache\_route\_table\_ids](#output\_elasticache\_route\_table\_ids) | List of IDs of elasticache route tables |
| <a name="output_elasticache_subnet_arns"></a> [elasticache\_subnet\_arns](#output\_elasticache\_subnet\_arns) | List of ARNs of elasticache subnets |
| <a name="output_elasticache_subnet_group"></a> [elasticache\_subnet\_group](#output\_elasticache\_subnet\_group) | ID of elasticache subnet group |
| <a name="output_elasticache_subnet_group_name"></a> [elasticache\_subnet\_group\_name](#output\_elasticache\_subnet\_group\_name) | Name of elasticache subnet group |
| <a name="output_elasticache_subnets"></a> [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
| <a name="output_elasticache_subnets_cidr_blocks"></a> [elasticache\_subnets\_cidr\_blocks](#output\_elasticache\_subnets\_cidr\_blocks) | List of cidr\_blocks of elasticache subnets |
| <a name="output_elasticache_subnets_ipv6_cidr_blocks"></a> [elasticache\_subnets\_ipv6\_cidr\_blocks](#output\_elasticache\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC |
| <a name="output_igw_arn"></a> [igw\_arn](#output\_igw\_arn) | The ARN of the Internet Gateway |
| <a name="output_igw_id"></a> [igw\_id](#output\_igw\_id) | The ID of the Internet Gateway |
| <a name="output_intra_network_acl_arn"></a> [intra\_network\_acl\_arn](#output\_intra\_network\_acl\_arn) | ARN of the intra network ACL |
| <a name="output_intra_network_acl_id"></a> [intra\_network\_acl\_id](#output\_intra\_network\_acl\_id) | ID of the intra network ACL |
| <a name="output_intra_route_table_association_ids"></a> [intra\_route\_table\_association\_ids](#output\_intra\_route\_table\_association\_ids) | List of IDs of the intra route table association |
| <a name="output_intra_route_table_ids"></a> [intra\_route\_table\_ids](#output\_intra\_route\_table\_ids) | List of IDs of intra route tables |
| <a name="output_intra_subnet_arns"></a> [intra\_subnet\_arns](#output\_intra\_subnet\_arns) | List of ARNs of intra subnets |
| <a name="output_intra_subnets"></a> [intra\_subnets](#output\_intra\_subnets) | List of IDs of intra subnets |
| <a name="output_intra_subnets_cidr_blocks"></a> [intra\_subnets\_cidr\_blocks](#output\_intra\_subnets\_cidr\_blocks) | List of cidr\_blocks of intra subnets |
| <a name="output_intra_subnets_ipv6_cidr_blocks"></a> [intra\_subnets\_ipv6\_cidr\_blocks](#output\_intra\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of intra subnets in an IPv6 enabled VPC |
| <a name="output_nat_ids"></a> [nat\_ids](#output\_nat\_ids) | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
| <a name="output_natgw_ids"></a> [natgw\_ids](#output\_natgw\_ids) | List of NAT Gateway IDs |
| <a name="output_outpost_network_acl_arn"></a> [outpost\_network\_acl\_arn](#output\_outpost\_network\_acl\_arn) | ARN of the outpost network ACL |
| <a name="output_outpost_network_acl_id"></a> [outpost\_network\_acl\_id](#output\_outpost\_network\_acl\_id) | ID of the outpost network ACL |
| <a name="output_outpost_subnet_arns"></a> [outpost\_subnet\_arns](#output\_outpost\_subnet\_arns) | List of ARNs of outpost subnets |
| <a name="output_outpost_subnets"></a> [outpost\_subnets](#output\_outpost\_subnets) | List of IDs of outpost subnets |
| <a name="output_outpost_subnets_cidr_blocks"></a> [outpost\_subnets\_cidr\_blocks](#output\_outpost\_subnets\_cidr\_blocks) | List of cidr\_blocks of outpost subnets |
| <a name="output_outpost_subnets_ipv6_cidr_blocks"></a> [outpost\_subnets\_ipv6\_cidr\_blocks](#output\_outpost\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of outpost subnets in an IPv6 enabled VPC |
| <a name="output_private_ipv6_egress_route_ids"></a> [private\_ipv6\_egress\_route\_ids](#output\_private\_ipv6\_egress\_route\_ids) | List of IDs of the ipv6 egress route |
| <a name="output_private_nat_gateway_route_ids"></a> [private\_nat\_gateway\_route\_ids](#output\_private\_nat\_gateway\_route\_ids) | List of IDs of the private nat gateway route |
| <a name="output_private_network_acl_arn"></a> [private\_network\_acl\_arn](#output\_private\_network\_acl\_arn) | ARN of the private network ACL |
| <a name="output_private_network_acl_id"></a> [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | ID of the private network ACL |
| <a name="output_private_route_table_association_ids"></a> [private\_route\_table\_association\_ids](#output\_private\_route\_table\_association\_ids) | List of IDs of the private route table association |
| <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | List of IDs of private route tables |
| <a name="output_private_subnet_arns"></a> [private\_subnet\_arns](#output\_private\_subnet\_arns) | List of ARNs of private subnets |
| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
| <a name="output_private_subnets_cidr_blocks"></a> [private\_subnets\_cidr\_blocks](#output\_private\_subnets\_cidr\_blocks) | List of cidr\_blocks of private subnets |
| <a name="output_private_subnets_ipv6_cidr_blocks"></a> [private\_subnets\_ipv6\_cidr\_blocks](#output\_private\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of private subnets in an IPv6 enabled VPC |
| <a name="output_public_internet_gateway_ipv6_route_id"></a> [public\_internet\_gateway\_ipv6\_route\_id](#output\_public\_internet\_gateway\_ipv6\_route\_id) | ID of the IPv6 internet gateway route |
| <a name="output_public_internet_gateway_route_id"></a> [public\_internet\_gateway\_route\_id](#output\_public\_internet\_gateway\_route\_id) | ID of the internet gateway route |
| <a name="output_public_network_acl_arn"></a> [public\_network\_acl\_arn](#output\_public\_network\_acl\_arn) | ARN of the public network ACL |
| <a name="output_public_network_acl_id"></a> [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | ID of the public network ACL |
| <a name="output_public_route_table_association_ids"></a> [public\_route\_table\_association\_ids](#output\_public\_route\_table\_association\_ids) | List of IDs of the public route table association |
| <a name="output_public_route_table_ids"></a> [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | List of IDs of public route tables |
| <a name="output_public_subnet_arns"></a> [public\_subnet\_arns](#output\_public\_subnet\_arns) | List of ARNs of public subnets |
| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
| <a name="output_public_subnets_cidr_blocks"></a> [public\_subnets\_cidr\_blocks](#output\_public\_subnets\_cidr\_blocks) | List of cidr\_blocks of public subnets |
| <a name="output_public_subnets_ipv6_cidr_blocks"></a> [public\_subnets\_ipv6\_cidr\_blocks](#output\_public\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of public subnets in an IPv6 enabled VPC |
| <a name="output_redshift_network_acl_arn"></a> [redshift\_network\_acl\_arn](#output\_redshift\_network\_acl\_arn) | ARN of the redshift network ACL |
| <a name="output_redshift_network_acl_id"></a> [redshift\_network\_acl\_id](#output\_redshift\_network\_acl\_id) | ID of the redshift network ACL |
| <a name="output_redshift_public_route_table_association_ids"></a> [redshift\_public\_route\_table\_association\_ids](#output\_redshift\_public\_route\_table\_association\_ids) | List of IDs of the public redshift route table association |
| <a name="output_redshift_route_table_association_ids"></a> [redshift\_route\_table\_association\_ids](#output\_redshift\_route\_table\_association\_ids) | List of IDs of the redshift route table association |
| <a name="output_redshift_route_table_ids"></a> [redshift\_route\_table\_ids](#output\_redshift\_route\_table\_ids) | List of IDs of redshift route tables |
| <a name="output_redshift_subnet_arns"></a> [redshift\_subnet\_arns](#output\_redshift\_subnet\_arns) | List of ARNs of redshift subnets |
| <a name="output_redshift_subnet_group"></a> [redshift\_subnet\_group](#output\_redshift\_subnet\_group) | ID of redshift subnet group |
| <a name="output_redshift_subnets"></a> [redshift\_subnets](#output\_redshift\_subnets) | List of IDs of redshift subnets |
| <a name="output_redshift_subnets_cidr_blocks"></a> [redshift\_subnets\_cidr\_blocks](#output\_redshift\_subnets\_cidr\_blocks) | List of cidr\_blocks of redshift subnets |
| <a name="output_redshift_subnets_ipv6_cidr_blocks"></a> [redshift\_subnets\_ipv6\_cidr\_blocks](#output\_redshift\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of redshift subnets in an IPv6 enabled VPC |
| <a name="output_this_customer_gateway"></a> [this\_customer\_gateway](#output\_this\_customer\_gateway) | Map of Customer Gateway attributes |
| <a name="output_vgw_arn"></a> [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway |
| <a name="output_vgw_id"></a> [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway |
| <a name="output_vpc_arn"></a> [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
| <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
| <a name="output_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
| <a name="output_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |
| <a name="output_vpc_flow_log_cloudwatch_iam_role_arn"></a> [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
| <a name="output_vpc_flow_log_destination_arn"></a> [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
| <a name="output_vpc_flow_log_destination_type"></a> [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
| <a name="output_vpc_flow_log_id"></a> [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
| <a name="output_vpc_instance_tenancy"></a> [vpc\_instance\_tenancy](#output\_vpc\_instance\_tenancy) | Tenancy of instances spin up within VPC |
| <a name="output_vpc_ipv6_association_id"></a> [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
| <a name="output_vpc_ipv6_cidr_block"></a> [vpc\_ipv6\_cidr\_block](#output\_vpc\_ipv6\_cidr\_block) | The IPv6 CIDR block |
| <a name="output_vpc_main_route_table_id"></a> [vpc\_main\_route\_table\_id](#output\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with this VPC |
| <a name="output_vpc_owner_id"></a> [vpc\_owner\_id](#output\_vpc\_owner\_id) | The ID of the AWS account that owns the VPC |
| <a name="output_vpc_secondary_cidr_blocks"></a> [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
examples/ipv6-only/main.tf 0 → 100644
View file @ 44e6eaa1
provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
GithubOrg = "terraform-aws-modules"
}
}
################################################################################
# VPC Module
################################################################################
module "vpc" {
source = "../.."
name = local.name
azs = slice(data.aws_availability_zones.available.names, 0, 3)
enable_ipv6 = true
public_subnet_ipv6_native = true
public_subnet_ipv6_prefixes = [0, 1, 2]
private_subnet_ipv6_native = true
private_subnet_ipv6_prefixes = [3, 4, 5]
# RDS currently only supports dual-stack so IPv4 CIDRs will need to be provided for subnets
# database_subnet_ipv6_native = true
# database_subnet_ipv6_prefixes = [6, 7, 8]
enable_nat_gateway = false
create_egress_only_igw = true
tags = local.tags
}
examples/simple-vpc/versions.tf examples/ipv6-only/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/issues/README.md
View file @ 44e6eaa1
......@@ -24,12 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -41,7 +43,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/issues/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,14 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -23,7 +27,7 @@ module "vpc_issue_44" {
name = "asymmetrical"
cidr = "10.0.0.0/16"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
azs = local.azs
private_subnets = ["10.0.1.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
......@@ -47,7 +51,7 @@ module "vpc_issue_46" {
name = "no-private-subnets"
cidr = "10.0.0.0/16"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
azs = local.azs
public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
private_subnets = []
database_subnets = ["10.0.128.0/24", "10.0.129.0/24"]
......@@ -73,7 +77,7 @@ module "vpc_issue_108" {
name = "route-already-exists"
cidr = "10.0.0.0/16"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
azs = local.azs
private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
......
examples/issues/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/manage-default-vpc/README.md
View file @ 44e6eaa1
......@@ -21,8 +21,8 @@ Run `terraform destroy` when you don't need these resources.
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
......
examples/manage-default-vpc/main.tf
View file @ 44e6eaa1
......@@ -3,7 +3,7 @@ provider "aws" {
}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
tags = {
......
examples/manage-default-vpc/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/network-acls/README.md
View file @ 44e6eaa1
......@@ -23,12 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -38,7 +40,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/network-acls/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -170,12 +175,12 @@ module "vpc" {
source = "../../"
name = local.name
cidr = "10.0.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
public_dedicated_network_acl = true
public_inbound_acl_rules = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])
......
examples/network-acls/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/outpost/README.md
View file @ 44e6eaa1
......@@ -23,14 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......
examples/outpost/main.tf
View file @ 44e6eaa1
......@@ -6,10 +6,15 @@ provider "aws" {
}
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -112,16 +117,6 @@ locals {
}
}
################################################################################
# Supporting Resources
################################################################################
data "aws_outposts_outpost" "shared" {
name = "SEA19.07"
}
data "aws_availability_zones" "available" {}
################################################################################
# VPC Module
################################################################################
......@@ -130,15 +125,11 @@ module "vpc" {
source = "../../"
name = local.name
cidr = "10.0.0.0/16"
cidr = local.vpc_cidr
azs = [
data.aws_availability_zones.available.names[0],
data.aws_availability_zones.available.names[1],
data.aws_availability_zones.available.names[2],
]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
# Outpost is using single AZ specified in `outpost_az`
outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"]
......@@ -161,3 +152,11 @@ module "vpc" {
tags = local.tags
}
################################################################################
# Supporting Resources
################################################################################
data "aws_outposts_outpost" "shared" {
name = "SEA19.07"
}
examples/outpost/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/secondary-cidr-blocks/README.md
View file @ 44e6eaa1
......@@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -36,7 +38,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/secondary-cidr-blocks/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,16 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -21,26 +27,19 @@ module "vpc" {
source = "../../"
name = local.name
cidr = local.vpc_cidr
cidr = "10.0.0.0/16"
secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"]
secondary_cidr_blocks = local.secondary_cidr_blocks # can add up to 5 total CIDR blocks
enable_ipv6 = true
azs = local.azs
private_subnets = concat(
[for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)],
[for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 0), 2, k)],
[for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 1), 2, k)],
)
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
enable_nat_gateway = true
single_nat_gateway = true
public_subnet_tags = {
Name = "overridden-name-public"
}
enable_nat_gateway = false
tags = local.tags
vpc_tags = {
Name = "vpc-name"
}
}
examples/secondary-cidr-blocks/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
examples/vpc-separate-private-route-tables/README.md examples/separate-route-tables/README.md
View file @ 44e6eaa1
......@@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -36,7 +38,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/vpc-separate-private-route-tables/main.tf examples/separate-route-tables/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -21,15 +26,15 @@ module "vpc" {
source = "../../"
name = local.name
cidr = "10.10.0.0/16"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"]
redshift_subnets = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"]
cidr = local.vpc_cidr
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)]
redshift_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)]
intra_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)]
create_database_subnet_route_table = true
create_elasticache_subnet_route_table = true
......
examples/separate-route-tables/versions.tf 0 → 100644
View file @ 44e6eaa1
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.35"
}
}
}
examples/simple-vpc/README.md examples/simple/README.md
View file @ 44e6eaa1
......@@ -25,12 +25,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......@@ -40,7 +42,9 @@ No providers.
## Resources
No resources.
| Name | Type |
|------|------|
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
## Inputs
......
examples/simple-vpc/main.tf examples/simple/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -21,30 +26,13 @@ module "vpc" {
source = "../../"
name = local.name
cidr = "10.0.0.0/16"
azs = ["${local.region}a", "${local.region}b", "${local.region}c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
cidr = local.vpc_cidr
enable_ipv6 = true
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
enable_nat_gateway = false
single_nat_gateway = true
public_subnet_tags = {
Name = "overridden-name-public"
}
public_subnet_tags_per_az = {
"${local.region}a" = {
"availability-zone" = "${local.region}a"
}
}
tags = local.tags
vpc_tags = {
Name = "vpc-name"
}
}
examples/simple/outputs.tf 0 → 100644
View file @ 44e6eaa1
output "vpc_id" {
description = "The ID of the VPC"
value = module.vpc.vpc_id
}
output "vpc_arn" {
description = "The ARN of the VPC"
value = module.vpc.vpc_arn
}
output "vpc_cidr_block" {
description = "The CIDR block of the VPC"
value = module.vpc.vpc_cidr_block
}
output "default_security_group_id" {
description = "The ID of the security group created by default on VPC creation"
value = module.vpc.default_security_group_id
}
output "default_network_acl_id" {
description = "The ID of the default network ACL"
value = module.vpc.default_network_acl_id
}
output "default_route_table_id" {
description = "The ID of the default route table"
value = module.vpc.default_route_table_id
}
output "vpc_instance_tenancy" {
description = "Tenancy of instances spin up within VPC"
value = module.vpc.vpc_instance_tenancy
}
output "vpc_enable_dns_support" {
description = "Whether or not the VPC has DNS support"
value = module.vpc.vpc_enable_dns_support
}
output "vpc_enable_dns_hostnames" {
description = "Whether or not the VPC has DNS hostname support"
value = module.vpc.vpc_enable_dns_hostnames
}
output "vpc_main_route_table_id" {
description = "The ID of the main route table associated with this VPC"
value = module.vpc.vpc_main_route_table_id
}
output "vpc_ipv6_association_id" {
description = "The association ID for the IPv6 CIDR block"
value = module.vpc.vpc_ipv6_association_id
}
output "vpc_ipv6_cidr_block" {
description = "The IPv6 CIDR block"
value = module.vpc.vpc_ipv6_cidr_block
}
output "vpc_secondary_cidr_blocks" {
description = "List of secondary CIDR blocks of the VPC"
value = module.vpc.vpc_secondary_cidr_blocks
}
output "vpc_owner_id" {
description = "The ID of the AWS account that owns the VPC"
value = module.vpc.vpc_owner_id
}
output "private_subnets" {
description = "List of IDs of private subnets"
value = module.vpc.private_subnets
}
output "private_subnet_arns" {
description = "List of ARNs of private subnets"
value = module.vpc.private_subnet_arns
}
output "private_subnets_cidr_blocks" {
description = "List of cidr_blocks of private subnets"
value = module.vpc.private_subnets_cidr_blocks
}
output "private_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC"
value = module.vpc.private_subnets_ipv6_cidr_blocks
}
output "public_subnets" {
description = "List of IDs of public subnets"
value = module.vpc.public_subnets
}
output "public_subnet_arns" {
description = "List of ARNs of public subnets"
value = module.vpc.public_subnet_arns
}
output "public_subnets_cidr_blocks" {
description = "List of cidr_blocks of public subnets"
value = module.vpc.public_subnets_cidr_blocks
}
output "public_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC"
value = module.vpc.public_subnets_ipv6_cidr_blocks
}
output "outpost_subnets" {
description = "List of IDs of outpost subnets"
value = module.vpc.outpost_subnets
}
output "outpost_subnet_arns" {
description = "List of ARNs of outpost subnets"
value = module.vpc.outpost_subnet_arns
}
output "outpost_subnets_cidr_blocks" {
description = "List of cidr_blocks of outpost subnets"
value = module.vpc.outpost_subnets_cidr_blocks
}
output "outpost_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of outpost subnets in an IPv6 enabled VPC"
value = module.vpc.outpost_subnets_ipv6_cidr_blocks
}
output "database_subnets" {
description = "List of IDs of database subnets"
value = module.vpc.database_subnets
}
output "database_subnet_arns" {
description = "List of ARNs of database subnets"
value = module.vpc.database_subnet_arns
}
output "database_subnets_cidr_blocks" {
description = "List of cidr_blocks of database subnets"
value = module.vpc.database_subnets_cidr_blocks
}
output "database_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC"
value = module.vpc.database_subnets_ipv6_cidr_blocks
}
output "database_subnet_group" {
description = "ID of database subnet group"
value = module.vpc.database_subnet_group
}
output "database_subnet_group_name" {
description = "Name of database subnet group"
value = module.vpc.database_subnet_group_name
}
output "redshift_subnets" {
description = "List of IDs of redshift subnets"
value = module.vpc.redshift_subnets
}
output "redshift_subnet_arns" {
description = "List of ARNs of redshift subnets"
value = module.vpc.redshift_subnet_arns
}
output "redshift_subnets_cidr_blocks" {
description = "List of cidr_blocks of redshift subnets"
value = module.vpc.redshift_subnets_cidr_blocks
}
output "redshift_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC"
value = module.vpc.redshift_subnets_ipv6_cidr_blocks
}
output "redshift_subnet_group" {
description = "ID of redshift subnet group"
value = module.vpc.redshift_subnet_group
}
output "elasticache_subnets" {
description = "List of IDs of elasticache subnets"
value = module.vpc.elasticache_subnets
}
output "elasticache_subnet_arns" {
description = "List of ARNs of elasticache subnets"
value = module.vpc.elasticache_subnet_arns
}
output "elasticache_subnets_cidr_blocks" {
description = "List of cidr_blocks of elasticache subnets"
value = module.vpc.elasticache_subnets_cidr_blocks
}
output "elasticache_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC"
value = module.vpc.elasticache_subnets_ipv6_cidr_blocks
}
output "intra_subnets" {
description = "List of IDs of intra subnets"
value = module.vpc.intra_subnets
}
output "intra_subnet_arns" {
description = "List of ARNs of intra subnets"
value = module.vpc.intra_subnet_arns
}
output "intra_subnets_cidr_blocks" {
description = "List of cidr_blocks of intra subnets"
value = module.vpc.intra_subnets_cidr_blocks
}
output "intra_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC"
value = module.vpc.intra_subnets_ipv6_cidr_blocks
}
output "elasticache_subnet_group" {
description = "ID of elasticache subnet group"
value = module.vpc.elasticache_subnet_group
}
output "elasticache_subnet_group_name" {
description = "Name of elasticache subnet group"
value = module.vpc.elasticache_subnet_group_name
}
output "public_route_table_ids" {
description = "List of IDs of public route tables"
value = module.vpc.public_route_table_ids
}
output "private_route_table_ids" {
description = "List of IDs of private route tables"
value = module.vpc.private_route_table_ids
}
output "database_route_table_ids" {
description = "List of IDs of database route tables"
value = module.vpc.database_route_table_ids
}
output "redshift_route_table_ids" {
description = "List of IDs of redshift route tables"
value = module.vpc.redshift_route_table_ids
}
output "elasticache_route_table_ids" {
description = "List of IDs of elasticache route tables"
value = module.vpc.elasticache_route_table_ids
}
output "intra_route_table_ids" {
description = "List of IDs of intra route tables"
value = module.vpc.intra_route_table_ids
}
output "public_internet_gateway_route_id" {
description = "ID of the internet gateway route"
value = module.vpc.public_internet_gateway_route_id
}
output "public_internet_gateway_ipv6_route_id" {
description = "ID of the IPv6 internet gateway route"
value = module.vpc.public_internet_gateway_ipv6_route_id
}
output "database_internet_gateway_route_id" {
description = "ID of the database internet gateway route"
value = module.vpc.database_internet_gateway_route_id
}
output "database_nat_gateway_route_ids" {
description = "List of IDs of the database nat gateway route"
value = module.vpc.database_nat_gateway_route_ids
}
output "database_ipv6_egress_route_id" {
description = "ID of the database IPv6 egress route"
value = module.vpc.database_ipv6_egress_route_id
}
output "private_nat_gateway_route_ids" {
description = "List of IDs of the private nat gateway route"
value = module.vpc.private_nat_gateway_route_ids
}
output "private_ipv6_egress_route_ids" {
description = "List of IDs of the ipv6 egress route"
value = module.vpc.private_ipv6_egress_route_ids
}
output "private_route_table_association_ids" {
description = "List of IDs of the private route table association"
value = module.vpc.private_route_table_association_ids
}
output "database_route_table_association_ids" {
description = "List of IDs of the database route table association"
value = module.vpc.database_route_table_association_ids
}
output "redshift_route_table_association_ids" {
description = "List of IDs of the redshift route table association"
value = module.vpc.redshift_route_table_association_ids
}
output "redshift_public_route_table_association_ids" {
description = "List of IDs of the public redshift route table association"
value = module.vpc.redshift_public_route_table_association_ids
}
output "elasticache_route_table_association_ids" {
description = "List of IDs of the elasticache route table association"
value = module.vpc.elasticache_route_table_association_ids
}
output "intra_route_table_association_ids" {
description = "List of IDs of the intra route table association"
value = module.vpc.intra_route_table_association_ids
}
output "public_route_table_association_ids" {
description = "List of IDs of the public route table association"
value = module.vpc.public_route_table_association_ids
}
output "dhcp_options_id" {
description = "The ID of the DHCP options"
value = module.vpc.dhcp_options_id
}
output "nat_ids" {
description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway"
value = module.vpc.nat_ids
}
output "nat_public_ips" {
description = "List of public Elastic IPs created for AWS NAT Gateway"
value = module.vpc.nat_public_ips
}
output "natgw_ids" {
description = "List of NAT Gateway IDs"
value = module.vpc.natgw_ids
}
output "igw_id" {
description = "The ID of the Internet Gateway"
value = module.vpc.igw_id
}
output "igw_arn" {
description = "The ARN of the Internet Gateway"
value = module.vpc.igw_arn
}
output "egress_only_internet_gateway_id" {
description = "The ID of the egress only Internet Gateway"
value = module.vpc.egress_only_internet_gateway_id
}
output "cgw_ids" {
description = "List of IDs of Customer Gateway"
value = module.vpc.cgw_ids
}
output "cgw_arns" {
description = "List of ARNs of Customer Gateway"
value = module.vpc.cgw_arns
}
output "this_customer_gateway" {
description = "Map of Customer Gateway attributes"
value = module.vpc.this_customer_gateway
}
output "vgw_id" {
description = "The ID of the VPN Gateway"
value = module.vpc.vgw_id
}
output "vgw_arn" {
description = "The ARN of the VPN Gateway"
value = module.vpc.vgw_arn
}
output "default_vpc_id" {
description = "The ID of the Default VPC"
value = module.vpc.default_vpc_id
}
output "default_vpc_arn" {
description = "The ARN of the Default VPC"
value = module.vpc.default_vpc_arn
}
output "default_vpc_cidr_block" {
description = "The CIDR block of the Default VPC"
value = module.vpc.default_vpc_cidr_block
}
output "default_vpc_default_security_group_id" {
description = "The ID of the security group created by default on Default VPC creation"
value = module.vpc.default_vpc_default_security_group_id
}
output "default_vpc_default_network_acl_id" {
description = "The ID of the default network ACL of the Default VPC"
value = module.vpc.default_vpc_default_network_acl_id
}
output "default_vpc_default_route_table_id" {
description = "The ID of the default route table of the Default VPC"
value = module.vpc.default_vpc_default_route_table_id
}
output "default_vpc_instance_tenancy" {
description = "Tenancy of instances spin up within Default VPC"
value = module.vpc.default_vpc_instance_tenancy
}
output "default_vpc_enable_dns_support" {
description = "Whether or not the Default VPC has DNS support"
value = module.vpc.default_vpc_enable_dns_support
}
output "default_vpc_enable_dns_hostnames" {
description = "Whether or not the Default VPC has DNS hostname support"
value = module.vpc.default_vpc_enable_dns_hostnames
}
output "default_vpc_main_route_table_id" {
description = "The ID of the main route table associated with the Default VPC"
value = module.vpc.default_vpc_main_route_table_id
}
output "public_network_acl_id" {
description = "ID of the public network ACL"
value = module.vpc.public_network_acl_id
}
output "public_network_acl_arn" {
description = "ARN of the public network ACL"
value = module.vpc.public_network_acl_arn
}
output "private_network_acl_id" {
description = "ID of the private network ACL"
value = module.vpc.private_network_acl_id
}
output "private_network_acl_arn" {
description = "ARN of the private network ACL"
value = module.vpc.private_network_acl_arn
}
output "outpost_network_acl_id" {
description = "ID of the outpost network ACL"
value = module.vpc.outpost_network_acl_id
}
output "outpost_network_acl_arn" {
description = "ARN of the outpost network ACL"
value = module.vpc.outpost_network_acl_arn
}
output "intra_network_acl_id" {
description = "ID of the intra network ACL"
value = module.vpc.intra_network_acl_id
}
output "intra_network_acl_arn" {
description = "ARN of the intra network ACL"
value = module.vpc.intra_network_acl_arn
}
output "database_network_acl_id" {
description = "ID of the database network ACL"
value = module.vpc.database_network_acl_id
}
output "database_network_acl_arn" {
description = "ARN of the database network ACL"
value = module.vpc.database_network_acl_arn
}
output "redshift_network_acl_id" {
description = "ID of the redshift network ACL"
value = module.vpc.redshift_network_acl_id
}
output "redshift_network_acl_arn" {
description = "ARN of the redshift network ACL"
value = module.vpc.redshift_network_acl_arn
}
output "elasticache_network_acl_id" {
description = "ID of the elasticache network ACL"
value = module.vpc.elasticache_network_acl_id
}
output "elasticache_network_acl_arn" {
description = "ARN of the elasticache network ACL"
value = module.vpc.elasticache_network_acl_arn
}
# VPC flow log
output "vpc_flow_log_id" {
description = "The ID of the Flow Log resource"
value = module.vpc.vpc_flow_log_id
}
output "vpc_flow_log_destination_arn" {
description = "The ARN of the destination for VPC Flow Logs"
value = module.vpc.vpc_flow_log_destination_arn
}
output "vpc_flow_log_destination_type" {
description = "The type of the destination for VPC Flow Logs"
value = module.vpc.vpc_flow_log_destination_type
}
output "vpc_flow_log_cloudwatch_iam_role_arn" {
description = "The ARN of the IAM role used when pushing logs to Cloudwatch log group"
value = module.vpc.vpc_flow_log_cloudwatch_iam_role_arn
}
examples/simple/versions.tf 0 → 100644
View file @ 44e6eaa1
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.35"
}
}
}
examples/vpc-flow-logs/README.md
View file @ 44e6eaa1
......@@ -23,15 +23,15 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.75 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.75 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
## Modules
......@@ -53,6 +53,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.flow_log_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
......
examples/vpc-flow-logs/main.tf
View file @ 44e6eaa1
......@@ -2,10 +2,15 @@ provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {}
locals {
name = "ex-${replace(basename(path.cwd), "_", "-")}"
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-vpc"
......@@ -13,7 +18,6 @@ locals {
}
s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}"
cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
}
################################################################################
......@@ -24,10 +28,11 @@ module "vpc_with_flow_logs_s3_bucket" {
source = "../../"
name = local.name
cidr = "10.30.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a"]
public_subnets = ["10.30.101.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
enable_flow_log = true
flow_log_destination_type = "s3"
......@@ -40,10 +45,11 @@ module "vpc_with_flow_logs_s3_bucket_parquet" {
source = "../../"
name = "${local.name}-parquet"
cidr = "10.30.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a"]
public_subnets = ["10.30.101.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
enable_flow_log = true
flow_log_destination_type = "s3"
......@@ -58,10 +64,11 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" {
source = "../../"
name = "${local.name}-cloudwatch-logs-default"
cidr = "10.10.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a"]
public_subnets = ["10.10.101.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
# Cloudwatch log group and IAM role will be created
enable_flow_log = true
......@@ -80,10 +87,11 @@ module "vpc_with_flow_logs_cloudwatch_logs" {
source = "../../"
name = "${local.name}-cloudwatch-logs"
cidr = "10.20.0.0/16"
cidr = local.vpc_cidr
azs = ["${local.region}a"]
public_subnets = ["10.20.101.0/24"]
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
enable_flow_log = true
flow_log_destination_type = "cloud-watch-logs"
......@@ -143,7 +151,7 @@ data "aws_iam_policy_document" "flow_log_s3" {
# Cloudwatch logs
resource "aws_cloudwatch_log_group" "flow_log" {
name = local.cloudwatch_log_group_name
name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
}
resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
......
examples/vpc-flow-logs/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.75"
version = ">= 4.35"
}
random = {
......
examples/vpc-separate-private-route-tables/versions.tf deleted 100644 → 0
View file @ 7010e70b
terraform {
required_version = ">= 0.13.1"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
}
}
}
main.tf
View file @ 44e6eaa1
locals {
len_public_subnets = max(length(var.public_subnets), length(var.public_subnet_ipv6_prefixes))
len_private_subnets = max(length(var.private_subnets), length(var.private_subnet_ipv6_prefixes))
len_database_subnets = max(length(var.database_subnets), length(var.database_subnet_ipv6_prefixes))
len_elasticache_subnets = max(length(var.elasticache_subnets), length(var.elasticache_subnet_ipv6_prefixes))
len_redshift_subnets = max(length(var.redshift_subnets), length(var.redshift_subnet_ipv6_prefixes))
len_intra_subnets = max(length(var.intra_subnets), length(var.intra_subnet_ipv6_prefixes))
len_outpost_subnets = max(length(var.outpost_subnets), length(var.outpost_subnet_ipv6_prefixes))
max_subnet_length = max(
length(var.private_subnets),
length(var.elasticache_subnets),
length(var.database_subnets),
length(var.redshift_subnets),
local.len_public_subnets,
local.len_elasticache_subnets,
local.len_database_subnets,
local.len_redshift_subnets,
)
nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
# Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free!
vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this[0].id, "")
......@@ -28,12 +35,12 @@ resource "aws_vpc" "this" {
ipv6_cidr_block = var.ipv6_cidr
ipv6_ipam_pool_id = var.ipv6_ipam_pool_id
ipv6_netmask_length = var.ipv6_netmask_length
ipv6_cidr_block_network_border_group = var.ipv6_cidr_block_network_border_group
instance_tenancy = var.instance_tenancy
enable_dns_hostnames = var.enable_dns_hostnames
enable_dns_support = var.enable_dns_support
enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730
enable_classiclink_dns_support = null # https://github.com/hashicorp/terraform/issues/31730
enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
tags = merge(
{ "Name" = var.name },
......@@ -51,48 +58,6 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" {
cidr_block = element(var.secondary_cidr_blocks, count.index)
}
resource "aws_default_security_group" "this" {
count = local.create_vpc && var.manage_default_security_group ? 1 : 0
vpc_id = aws_vpc.this[0].id
dynamic "ingress" {
for_each = var.default_security_group_ingress
content {
self = lookup(ingress.value, "self", null)
cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", "")))
ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", "")))
prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", "")))
security_groups = compact(split(",", lookup(ingress.value, "security_groups", "")))
description = lookup(ingress.value, "description", null)
from_port = lookup(ingress.value, "from_port", 0)
to_port = lookup(ingress.value, "to_port", 0)
protocol = lookup(ingress.value, "protocol", "-1")
}
}
dynamic "egress" {
for_each = var.default_security_group_egress
content {
self = lookup(egress.value, "self", null)
cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "")))
ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", "")))
prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", "")))
security_groups = compact(split(",", lookup(egress.value, "security_groups", "")))
description = lookup(egress.value, "description", null)
from_port = lookup(egress.value, "from_port", 0)
to_port = lookup(egress.value, "to_port", 0)
protocol = lookup(egress.value, "protocol", "-1")
}
}
tags = merge(
{ "Name" = coalesce(var.default_security_group_name, var.name) },
var.tags,
var.default_security_group_tags,
)
}
################################################################################
# DHCP Options Set
################################################################################
......@@ -121,80 +86,44 @@ resource "aws_vpc_dhcp_options_association" "this" {
}
################################################################################
# Internet Gateway
# Publiс Subnets
################################################################################
resource "aws_internet_gateway" "this" {
count = local.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
vpc_id = local.vpc_id
tags = merge(
{ "Name" = var.name },
var.tags,
var.igw_tags,
)
locals {
create_public_subnets = local.create_vpc && local.len_public_subnets > 0
}
resource "aws_egress_only_internet_gateway" "this" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0
resource "aws_subnet" "public" {
count = local.create_public_subnets && (!var.one_nat_gateway_per_az || local.len_public_subnets >= length(var.azs)) ? local.len_public_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.public_subnet_ipv6_native ? true : var.public_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
cidr_block = var.public_subnet_ipv6_native ? null : element(concat(var.public_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.public_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.public_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.public_subnet_ipv6_native && var.public_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.public_subnet_ipv6_native
map_public_ip_on_launch = var.map_public_ip_on_launch
private_dns_hostname_type_on_launch = var.public_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
tags = merge(
{ "Name" = var.name },
var.tags,
var.igw_tags,
{
Name = try(
var.public_subnet_names[count.index],
format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index))
)
}
################################################################################
# Default route
################################################################################
resource "aws_default_route_table" "default" {
count = local.create_vpc && var.manage_default_route_table ? 1 : 0
default_route_table_id = aws_vpc.this[0].default_route_table_id
propagating_vgws = var.default_route_table_propagating_vgws
dynamic "route" {
for_each = var.default_route_table_routes
content {
# One of the following destinations must be provided
cidr_block = route.value.cidr_block
ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null)
# One of the following targets must be provided
egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null)
gateway_id = lookup(route.value, "gateway_id", null)
instance_id = lookup(route.value, "instance_id", null)
nat_gateway_id = lookup(route.value, "nat_gateway_id", null)
network_interface_id = lookup(route.value, "network_interface_id", null)
transit_gateway_id = lookup(route.value, "transit_gateway_id", null)
vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null)
vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null)
}
}
timeouts {
create = "5m"
update = "5m"
}
tags = merge(
{ "Name" = coalesce(var.default_route_table_name, var.name) },
},
var.tags,
var.default_route_table_tags,
var.public_subnet_tags,
lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {})
)
}
################################################################################
# Publiс routes
################################################################################
resource "aws_route_table" "public" {
count = local.create_vpc && length(var.public_subnets) > 0 ? 1 : 0
count = local.create_public_subnets ? 1 : 0
vpc_id = local.vpc_id
......@@ -205,8 +134,15 @@ resource "aws_route_table" "public" {
)
}
resource "aws_route_table_association" "public" {
count = local.create_public_subnets ? local.len_public_subnets : 0
subnet_id = element(aws_subnet.public[*].id, count.index)
route_table_id = aws_route_table.public[0].id
}
resource "aws_route" "public_internet_gateway" {
count = local.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
count = local.create_public_subnets && var.create_igw ? 1 : 0
route_table_id = aws_route_table.public[0].id
destination_cidr_block = "0.0.0.0/0"
......@@ -218,7 +154,7 @@ resource "aws_route" "public_internet_gateway" {
}
resource "aws_route" "public_internet_gateway_ipv6" {
count = local.create_vpc && var.create_igw && var.enable_ipv6 && length(var.public_subnets) > 0 ? 1 : 0
count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? 1 : 0
route_table_id = aws_route_table.public[0].id
destination_ipv6_cidr_block = "::/0"
......@@ -226,274 +162,368 @@ resource "aws_route" "public_internet_gateway_ipv6" {
}
################################################################################
# Private routes
# There are as many routing tables as the number of NAT gateways
################################################################################
resource "aws_route_table" "private" {
count = local.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0
vpc_id = local.vpc_id
tags = merge(
{
"Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
"${var.name}-${var.private_subnet_suffix}-%s",
element(var.azs, count.index),
)
},
var.tags,
var.private_route_table_tags,
)
}
################################################################################
# Database routes
# Public Network ACLs
################################################################################
resource "aws_route_table" "database" {
count = local.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : length(var.database_subnets) : 0
resource "aws_network_acl" "public" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.public[*].id
tags = merge(
{
"Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format(
"${var.name}-${var.database_subnet_suffix}-%s",
element(var.azs, count.index),
)
},
{ "Name" = "${var.name}-${var.public_subnet_suffix}" },
var.tags,
var.database_route_table_tags,
var.public_acl_tags,
)
}
resource "aws_route" "database_internet_gateway" {
count = local.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0
route_table_id = aws_route_table.database[0].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
timeouts {
create = "5m"
}
}
resource "aws_route" "database_nat_gateway" {
count = local.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : length(var.database_subnets) : 0
resource "aws_network_acl_rule" "public_inbound" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_inbound_acl_rules) : 0
route_table_id = element(aws_route_table.database[*].id, count.index)
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
network_acl_id = aws_network_acl.public[0].id
timeouts {
create = "5m"
}
egress = false
rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.public_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_route" "database_ipv6_egress" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0
resource "aws_network_acl_rule" "public_outbound" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_outbound_acl_rules) : 0
route_table_id = aws_route_table.database[0].id
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id
network_acl_id = aws_network_acl.public[0].id
timeouts {
create = "5m"
}
egress = true
rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.public_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Redshift routes
# Private Subnets
################################################################################
resource "aws_route_table" "redshift" {
count = local.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0
locals {
create_private_subnets = local.create_vpc && local.len_private_subnets > 0
}
resource "aws_subnet" "private" {
count = local.create_private_subnets ? local.len_private_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.private_subnet_ipv6_native ? true : var.private_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
cidr_block = var.private_subnet_ipv6_native ? null : element(concat(var.private_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.private_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.private_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.private_subnet_ipv6_native && var.private_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.private_subnet_ipv6_native
private_dns_hostname_type_on_launch = var.private_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
tags = merge(
{ "Name" = "${var.name}-${var.redshift_subnet_suffix}" },
{
Name = try(
var.private_subnet_names[count.index],
format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index))
)
},
var.tags,
var.redshift_route_table_tags,
var.private_subnet_tags,
lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {})
)
}
################################################################################
# Elasticache routes
################################################################################
resource "aws_route_table" "elasticache" {
count = local.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0
# There are as many routing tables as the number of NAT gateways
resource "aws_route_table" "private" {
count = local.create_private_subnets && local.max_subnet_length > 0 ? local.nat_gateway_count : 0
vpc_id = local.vpc_id
tags = merge(
{ "Name" = "${var.name}-${var.elasticache_subnet_suffix}" },
{
"Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
"${var.name}-${var.private_subnet_suffix}-%s",
element(var.azs, count.index),
)
},
var.tags,
var.elasticache_route_table_tags,
var.private_route_table_tags,
)
}
resource "aws_route_table_association" "private" {
count = local.create_private_subnets ? local.len_private_subnets : 0
subnet_id = element(aws_subnet.private[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
var.single_nat_gateway ? 0 : count.index,
)
}
################################################################################
# Intra routes
# Private Network ACLs
################################################################################
resource "aws_route_table" "intra" {
count = local.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0
locals {
create_private_network_acl = local.create_private_subnets && var.private_dedicated_network_acl
}
resource "aws_network_acl" "private" {
count = local.create_private_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.private[*].id
tags = merge(
{ "Name" = "${var.name}-${var.intra_subnet_suffix}" },
{ "Name" = "${var.name}-${var.private_subnet_suffix}" },
var.tags,
var.intra_route_table_tags,
var.private_acl_tags,
)
}
################################################################################
# Public subnet
################################################################################
resource "aws_network_acl_rule" "private_inbound" {
count = local.create_private_network_acl ? length(var.private_inbound_acl_rules) : 0
resource "aws_subnet" "public" {
count = local.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
network_acl_id = aws_network_acl.private[0].id
vpc_id = local.vpc_id
cidr_block = element(concat(var.public_subnets, [""]), count.index)
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
map_public_ip_on_launch = var.map_public_ip_on_launch
assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
egress = false
rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.private_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
resource "aws_network_acl_rule" "private_outbound" {
count = local.create_private_network_acl ? length(var.private_outbound_acl_rules) : 0
tags = merge(
{
Name = try(
var.public_subnet_names[count.index],
format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index))
)
},
var.tags,
var.public_subnet_tags,
lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {})
)
network_acl_id = aws_network_acl.private[0].id
egress = true
rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.private_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Private subnet
# Database Subnets
################################################################################
resource "aws_subnet" "private" {
count = local.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
locals {
create_database_subnets = local.create_vpc && local.len_database_subnets > 0
create_database_route_table = local.create_database_subnets && var.create_database_subnet_route_table
}
vpc_id = local.vpc_id
cidr_block = var.private_subnets[count.index]
resource "aws_subnet" "database" {
count = local.create_database_subnets ? local.len_database_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.database_subnet_ipv6_native ? true : var.database_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.private_subnet_assign_ipv6_address_on_creation
ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null
cidr_block = var.database_subnet_ipv6_native ? null : element(concat(var.database_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.database_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.database_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.database_subnet_ipv6_native && var.database_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.database_subnet_ipv6_native
private_dns_hostname_type_on_launch = var.database_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
tags = merge(
{
Name = try(
var.private_subnet_names[count.index],
format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index))
var.database_subnet_names[count.index],
format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index), )
)
},
var.tags,
var.private_subnet_tags,
lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {})
var.database_subnet_tags,
)
}
################################################################################
# Outpost subnet
################################################################################
resource "aws_subnet" "outpost" {
count = local.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0
vpc_id = local.vpc_id
cidr_block = var.outpost_subnets[count.index]
availability_zone = var.outpost_az
assign_ipv6_address_on_creation = var.outpost_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.outpost_subnet_assign_ipv6_address_on_creation
ipv6_cidr_block = var.enable_ipv6 && length(var.outpost_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.outpost_subnet_ipv6_prefixes[count.index]) : null
resource "aws_db_subnet_group" "database" {
count = local.create_database_subnets && var.create_database_subnet_group ? 1 : 0
outpost_arn = var.outpost_arn
name = lower(coalesce(var.database_subnet_group_name, var.name))
description = "Database subnet group for ${var.name}"
subnet_ids = aws_subnet.database[*].id
tags = merge(
{
Name = try(
var.outpost_subnet_names[count.index],
format("${var.name}-${var.outpost_subnet_suffix}-%s", var.outpost_az)
)
"Name" = lower(coalesce(var.database_subnet_group_name, var.name))
},
var.tags,
var.outpost_subnet_tags,
var.database_subnet_group_tags,
)
}
################################################################################
# Database subnet
################################################################################
resource "aws_subnet" "database" {
count = local.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
resource "aws_route_table" "database" {
count = local.create_database_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : local.len_database_subnets : 0
vpc_id = local.vpc_id
cidr_block = var.database_subnets[count.index]
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.database_subnet_assign_ipv6_address_on_creation
ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
Name = try(
var.database_subnet_names[count.index],
format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index), )
"Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format(
"${var.name}-${var.database_subnet_suffix}-%s",
element(var.azs, count.index),
)
},
var.tags,
var.database_subnet_tags,
var.database_route_table_tags,
)
}
resource "aws_db_subnet_group" "database" {
count = local.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0
resource "aws_route_table_association" "database" {
count = local.create_database_subnets ? local.len_database_subnets : 0
name = lower(coalesce(var.database_subnet_group_name, var.name))
description = "Database subnet group for ${var.name}"
subnet_id = element(aws_subnet.database[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id),
var.create_database_subnet_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 0 : count.index : count.index,
)
}
resource "aws_route" "database_internet_gateway" {
count = local.create_database_route_table && var.create_igw && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0
route_table_id = aws_route_table.database[0].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
timeouts {
create = "5m"
}
}
resource "aws_route" "database_nat_gateway" {
count = local.create_database_route_table && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : local.len_database_subnets : 0
route_table_id = element(aws_route_table.database[*].id, count.index)
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
timeouts {
create = "5m"
}
}
resource "aws_route" "database_ipv6_egress" {
count = local.create_database_route_table && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_internet_gateway_route ? 1 : 0
route_table_id = aws_route_table.database[0].id
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id
timeouts {
create = "5m"
}
}
################################################################################
# Database Network ACLs
################################################################################
locals {
create_database_network_acl = local.create_database_subnets && var.database_dedicated_network_acl
}
resource "aws_network_acl" "database" {
count = local.create_database_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.database[*].id
tags = merge(
{
"Name" = lower(coalesce(var.database_subnet_group_name, var.name))
},
{ "Name" = "${var.name}-${var.database_subnet_suffix}" },
var.tags,
var.database_subnet_group_tags,
var.database_acl_tags,
)
}
resource "aws_network_acl_rule" "database_inbound" {
count = local.create_database_network_acl ? length(var.database_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.database[0].id
egress = false
rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.database_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "database_outbound" {
count = local.create_database_network_acl ? length(var.database_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.database[0].id
egress = true
rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.database_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Redshift subnet
# Redshift Subnets
################################################################################
locals {
create_redshift_subnets = local.create_vpc && local.len_redshift_subnets > 0
create_redshift_route_table = local.create_redshift_subnets && var.create_redshift_subnet_route_table
}
resource "aws_subnet" "redshift" {
count = local.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0
count = local.create_redshift_subnets ? local.len_redshift_subnets : 0
vpc_id = local.vpc_id
cidr_block = var.redshift_subnets[count.index]
assign_ipv6_address_on_creation = var.enable_ipv6 && var.redshift_subnet_ipv6_native ? true : var.redshift_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
assign_ipv6_address_on_creation = var.redshift_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.redshift_subnet_assign_ipv6_address_on_creation
cidr_block = var.redshift_subnet_ipv6_native ? null : element(concat(var.redshift_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.redshift_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.redshift_subnet_ipv6_native && var.redshift_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.redshift_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.redshift_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.redshift_subnet_ipv6_native
private_dns_hostname_type_on_launch = var.redshift_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
tags = merge(
{
......@@ -508,7 +538,7 @@ resource "aws_subnet" "redshift" {
}
resource "aws_redshift_subnet_group" "redshift" {
count = local.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0
count = local.create_redshift_subnets && var.create_redshift_subnet_group ? 1 : 0
name = lower(coalesce(var.redshift_subnet_group_name, var.name))
description = "Redshift subnet group for ${var.name}"
......@@ -521,286 +551,287 @@ resource "aws_redshift_subnet_group" "redshift" {
)
}
################################################################################
# ElastiCache subnet
################################################################################
resource "aws_subnet" "elasticache" {
count = local.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0
resource "aws_route_table" "redshift" {
count = local.create_redshift_route_table ? 1 : 0
vpc_id = local.vpc_id
cidr_block = var.elasticache_subnets[count.index]
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
assign_ipv6_address_on_creation = var.elasticache_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.elasticache_subnet_assign_ipv6_address_on_creation
ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null
tags = merge(
{
Name = try(
var.elasticache_subnet_names[count.index],
format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index))
)
},
{ "Name" = "${var.name}-${var.redshift_subnet_suffix}" },
var.tags,
var.elasticache_subnet_tags,
var.redshift_route_table_tags,
)
}
resource "aws_elasticache_subnet_group" "elasticache" {
count = local.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0
resource "aws_route_table_association" "redshift" {
count = local.create_redshift_subnets && !var.enable_public_redshift ? local.len_redshift_subnets : 0
name = coalesce(var.elasticache_subnet_group_name, var.name)
description = "ElastiCache subnet group for ${var.name}"
subnet_ids = aws_subnet.elasticache[*].id
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.private[*].id),
var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
)
}
tags = merge(
{ "Name" = coalesce(var.elasticache_subnet_group_name, var.name) },
var.tags,
var.elasticache_subnet_group_tags,
resource "aws_route_table_association" "redshift_public" {
count = local.create_redshift_subnets && var.enable_public_redshift ? local.len_redshift_subnets : 0
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.public[*].id),
var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
)
}
################################################################################
# Intra subnets - private subnet without NAT gateway
# Redshift Network ACLs
################################################################################
resource "aws_subnet" "intra" {
count = local.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0
locals {
create_redshift_network_acl = local.create_redshift_subnets && var.redshift_dedicated_network_acl
}
vpc_id = local.vpc_id
cidr_block = var.intra_subnets[count.index]
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.intra_subnet_assign_ipv6_address_on_creation
resource "aws_network_acl" "redshift" {
count = local.create_redshift_network_acl ? 1 : 0
ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null
vpc_id = local.vpc_id
subnet_ids = aws_subnet.redshift[*].id
tags = merge(
{
Name = try(
var.intra_subnet_names[count.index],
format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index))
)
},
{ "Name" = "${var.name}-${var.redshift_subnet_suffix}" },
var.tags,
var.intra_subnet_tags,
var.redshift_acl_tags,
)
}
################################################################################
# Default Network ACLs
################################################################################
resource "aws_default_network_acl" "this" {
count = local.create_vpc && var.manage_default_network_acl ? 1 : 0
resource "aws_network_acl_rule" "redshift_inbound" {
count = local.create_redshift_network_acl ? length(var.redshift_inbound_acl_rules) : 0
default_network_acl_id = aws_vpc.this[0].default_network_acl_id
network_acl_id = aws_network_acl.redshift[0].id
# subnet_ids is using lifecycle ignore_changes, so it is not necessary to list
# any explicitly. See https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/736.
subnet_ids = null
egress = false
rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.redshift_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
dynamic "ingress" {
for_each = var.default_network_acl_ingress
content {
action = ingress.value.action
cidr_block = lookup(ingress.value, "cidr_block", null)
from_port = ingress.value.from_port
icmp_code = lookup(ingress.value, "icmp_code", null)
icmp_type = lookup(ingress.value, "icmp_type", null)
ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null)
protocol = ingress.value.protocol
rule_no = ingress.value.rule_no
to_port = ingress.value.to_port
}
}
dynamic "egress" {
for_each = var.default_network_acl_egress
content {
action = egress.value.action
cidr_block = lookup(egress.value, "cidr_block", null)
from_port = egress.value.from_port
icmp_code = lookup(egress.value, "icmp_code", null)
icmp_type = lookup(egress.value, "icmp_type", null)
ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null)
protocol = egress.value.protocol
rule_no = egress.value.rule_no
to_port = egress.value.to_port
}
}
resource "aws_network_acl_rule" "redshift_outbound" {
count = local.create_redshift_network_acl ? length(var.redshift_outbound_acl_rules) : 0
tags = merge(
{ "Name" = coalesce(var.default_network_acl_name, var.name) },
var.tags,
var.default_network_acl_tags,
)
network_acl_id = aws_network_acl.redshift[0].id
lifecycle {
ignore_changes = [subnet_ids]
}
egress = true
rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.redshift_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Public Network ACLs
# Elasticache Subnets
################################################################################
resource "aws_network_acl" "public" {
count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0
locals {
create_elasticache_subnets = local.create_vpc && local.len_elasticache_subnets > 0
create_elasticache_route_table = local.create_elasticache_subnets && var.create_elasticache_subnet_route_table
}
resource "aws_subnet" "elasticache" {
count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.elasticache_subnet_ipv6_native ? true : var.elasticache_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
cidr_block = var.elasticache_subnet_ipv6_native ? null : element(concat(var.elasticache_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.elasticache_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.elasticache_subnet_ipv6_native && var.elasticache_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.elasticache_subnet_ipv6_native
private_dns_hostname_type_on_launch = var.elasticache_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
subnet_ids = aws_subnet.public[*].id
tags = merge(
{ "Name" = "${var.name}-${var.public_subnet_suffix}" },
{
Name = try(
var.elasticache_subnet_names[count.index],
format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index))
)
},
var.tags,
var.public_acl_tags,
var.elasticache_subnet_tags,
)
}
resource "aws_network_acl_rule" "public_inbound" {
count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0
resource "aws_elasticache_subnet_group" "elasticache" {
count = local.create_elasticache_subnets && var.create_elasticache_subnet_group ? 1 : 0
network_acl_id = aws_network_acl.public[0].id
name = coalesce(var.elasticache_subnet_group_name, var.name)
description = "ElastiCache subnet group for ${var.name}"
subnet_ids = aws_subnet.elasticache[*].id
egress = false
rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.public_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
tags = merge(
{ "Name" = coalesce(var.elasticache_subnet_group_name, var.name) },
var.tags,
var.elasticache_subnet_group_tags,
)
}
resource "aws_network_acl_rule" "public_outbound" {
count = local.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0
resource "aws_route_table" "elasticache" {
count = local.create_elasticache_route_table ? 1 : 0
vpc_id = local.vpc_id
network_acl_id = aws_network_acl.public[0].id
tags = merge(
{ "Name" = "${var.name}-${var.elasticache_subnet_suffix}" },
var.tags,
var.elasticache_route_table_tags,
)
}
egress = true
rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.public_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
resource "aws_route_table_association" "elasticache" {
count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0
subnet_id = element(aws_subnet.elasticache[*].id, count.index)
route_table_id = element(
coalescelist(
aws_route_table.elasticache[*].id,
aws_route_table.private[*].id,
),
var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index,
)
}
################################################################################
# Private Network ACLs
# Elasticache Network ACLs
################################################################################
resource "aws_network_acl" "private" {
count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0
locals {
create_elasticache_network_acl = local.create_elasticache_subnets && var.elasticache_dedicated_network_acl
}
resource "aws_network_acl" "elasticache" {
count = local.create_elasticache_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.private[*].id
subnet_ids = aws_subnet.elasticache[*].id
tags = merge(
{ "Name" = "${var.name}-${var.private_subnet_suffix}" },
{ "Name" = "${var.name}-${var.elasticache_subnet_suffix}" },
var.tags,
var.private_acl_tags,
var.elasticache_acl_tags,
)
}
resource "aws_network_acl_rule" "private_inbound" {
count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0
resource "aws_network_acl_rule" "elasticache_inbound" {
count = local.create_elasticache_network_acl ? length(var.elasticache_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.private[0].id
network_acl_id = aws_network_acl.elasticache[0].id
egress = false
rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.private_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "private_outbound" {
count = local.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0
resource "aws_network_acl_rule" "elasticache_outbound" {
count = local.create_elasticache_network_acl ? length(var.elasticache_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.private[0].id
network_acl_id = aws_network_acl.elasticache[0].id
egress = true
rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.private_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Outpost Network ACLs
# Intra Subnets
################################################################################
resource "aws_network_acl" "outpost" {
count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? 1 : 0
locals {
create_intra_subnets = local.create_vpc && local.len_intra_subnets > 0
}
resource "aws_subnet" "intra" {
count = local.create_intra_subnets ? local.len_intra_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.intra_subnet_ipv6_native ? true : var.intra_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
cidr_block = var.intra_subnet_ipv6_native ? null : element(concat(var.intra_subnets, [""]), count.index)
enable_dns64 = var.enable_ipv6 && var.intra_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.intra_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.intra_subnet_ipv6_native && var.intra_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.intra_subnet_ipv6_native
private_dns_hostname_type_on_launch = var.intra_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
subnet_ids = aws_subnet.outpost[*].id
tags = merge(
{ "Name" = "${var.name}-${var.outpost_subnet_suffix}" },
{
Name = try(
var.intra_subnet_names[count.index],
format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index))
)
},
var.tags,
var.outpost_acl_tags,
var.intra_subnet_tags,
)
}
resource "aws_network_acl_rule" "outpost_inbound" {
count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_inbound_acl_rules) : 0
resource "aws_route_table" "intra" {
count = local.create_intra_subnets ? 1 : 0
network_acl_id = aws_network_acl.outpost[0].id
vpc_id = local.vpc_id
egress = false
rule_number = var.outpost_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.outpost_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.outpost_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.outpost_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.outpost_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
tags = merge(
{ "Name" = "${var.name}-${var.intra_subnet_suffix}" },
var.tags,
var.intra_route_table_tags,
)
}
resource "aws_network_acl_rule" "outpost_outbound" {
count = local.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? length(var.outpost_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.outpost[0].id
resource "aws_route_table_association" "intra" {
count = local.create_intra_subnets ? local.len_intra_subnets : 0
egress = true
rule_number = var.outpost_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.outpost_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.outpost_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.outpost_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.outpost_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
subnet_id = element(aws_subnet.intra[*].id, count.index)
route_table_id = element(aws_route_table.intra[*].id, 0)
}
################################################################################
# Intra Network ACLs
################################################################################
locals {
create_intra_network_acl = local.create_intra_subnets && var.intra_dedicated_network_acl
}
resource "aws_network_acl" "intra" {
count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0
count = local.create_intra_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.intra[*].id
......@@ -813,7 +844,7 @@ resource "aws_network_acl" "intra" {
}
resource "aws_network_acl_rule" "intra_inbound" {
count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0
count = local.create_intra_network_acl ? length(var.intra_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.intra[0].id
......@@ -830,7 +861,7 @@ resource "aws_network_acl_rule" "intra_inbound" {
}
resource "aws_network_acl_rule" "intra_outbound" {
count = local.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0
count = local.create_intra_network_acl ? length(var.intra_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.intra[0].id
......@@ -847,156 +878,141 @@ resource "aws_network_acl_rule" "intra_outbound" {
}
################################################################################
# Database Network ACLs
# Outpost Subnets
################################################################################
resource "aws_network_acl" "database" {
count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0
locals {
create_outpost_subnets = local.create_vpc && local.len_outpost_subnets > 0
}
resource "aws_subnet" "outpost" {
count = local.create_outpost_subnets ? local.len_outpost_subnets : 0
assign_ipv6_address_on_creation = var.enable_ipv6 && var.outpost_subnet_ipv6_native ? true : var.outpost_subnet_assign_ipv6_address_on_creation
availability_zone = var.outpost_az
cidr_block = var.outpost_subnet_ipv6_native ? null : element(concat(var.outpost_subnets, [""]), count.index)
customer_owned_ipv4_pool = var.customer_owned_ipv4_pool
enable_dns64 = var.enable_ipv6 && var.outpost_subnet_enable_dns64
enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch
enable_resource_name_dns_a_record_on_launch = !var.outpost_subnet_ipv6_native && var.outpost_subnet_enable_resource_name_dns_a_record_on_launch
ipv6_cidr_block = var.enable_ipv6 && length(var.outpost_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.outpost_subnet_ipv6_prefixes[count.index]) : null
ipv6_native = var.enable_ipv6 && var.outpost_subnet_ipv6_native
map_customer_owned_ip_on_launch = var.map_customer_owned_ip_on_launch
outpost_arn = var.outpost_arn
private_dns_hostname_type_on_launch = var.outpost_subnet_private_dns_hostname_type_on_launch
vpc_id = local.vpc_id
subnet_ids = aws_subnet.database[*].id
tags = merge(
{ "Name" = "${var.name}-${var.database_subnet_suffix}" },
{
Name = try(
var.outpost_subnet_names[count.index],
format("${var.name}-${var.outpost_subnet_suffix}-%s", var.outpost_az)
)
},
var.tags,
var.database_acl_tags,
var.outpost_subnet_tags,
)
}
resource "aws_network_acl_rule" "database_inbound" {
count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.database[0].id
egress = false
rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.database_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "database_outbound" {
count = local.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.database[0].id
resource "aws_route_table_association" "outpost" {
count = local.create_outpost_subnets ? local.len_outpost_subnets : 0
egress = true
rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.database_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
subnet_id = element(aws_subnet.outpost[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
var.single_nat_gateway ? 0 : count.index,
)
}
################################################################################
# Redshift Network ACLs
# Outpost Network ACLs
################################################################################
resource "aws_network_acl" "redshift" {
count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0
locals {
create_outpost_network_acl = local.create_outpost_subnets && var.outpost_dedicated_network_acl
}
resource "aws_network_acl" "outpost" {
count = local.create_outpost_network_acl ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.redshift[*].id
subnet_ids = aws_subnet.outpost[*].id
tags = merge(
{ "Name" = "${var.name}-${var.redshift_subnet_suffix}" },
{ "Name" = "${var.name}-${var.outpost_subnet_suffix}" },
var.tags,
var.redshift_acl_tags,
var.outpost_acl_tags,
)
}
resource "aws_network_acl_rule" "redshift_inbound" {
count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0
resource "aws_network_acl_rule" "outpost_inbound" {
count = local.create_outpost_network_acl ? length(var.outpost_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.redshift[0].id
network_acl_id = aws_network_acl.outpost[0].id
egress = false
rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.redshift_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
rule_number = var.outpost_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.outpost_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.outpost_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.outpost_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.outpost_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.outpost_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.outpost_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
resource "aws_network_acl_rule" "redshift_outbound" {
count = local.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0
resource "aws_network_acl_rule" "outpost_outbound" {
count = local.create_outpost_network_acl ? length(var.outpost_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.redshift[0].id
network_acl_id = aws_network_acl.outpost[0].id
egress = true
rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.redshift_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
rule_number = var.outpost_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.outpost_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.outpost_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.outpost_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.outpost_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.outpost_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
}
################################################################################
# Elasticache Network ACLs
# Internet Gateway
################################################################################
resource "aws_network_acl" "elasticache" {
count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0
resource "aws_internet_gateway" "this" {
count = local.create_public_subnets && var.create_igw ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.elasticache[*].id
tags = merge(
{ "Name" = "${var.name}-${var.elasticache_subnet_suffix}" },
{ "Name" = var.name },
var.tags,
var.elasticache_acl_tags,
var.igw_tags,
)
}
resource "aws_network_acl_rule" "elasticache_inbound" {
count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0
resource "aws_egress_only_internet_gateway" "this" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0
network_acl_id = aws_network_acl.elasticache[0].id
vpc_id = local.vpc_id
egress = false
rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null)
protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
tags = merge(
{ "Name" = var.name },
var.tags,
var.igw_tags,
)
}
resource "aws_network_acl_rule" "elasticache_outbound" {
count = local.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.elasticache[0].id
resource "aws_route" "private_ipv6_egress" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.len_private_subnets : 0
egress = true
rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null)
protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"]
cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null)
ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0)
}
################################################################################
......@@ -1004,11 +1020,12 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
################################################################################
locals {
nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : try(aws_eip.nat[*].id, [])
}
resource "aws_eip" "nat" {
count = local.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0
count = local.create_vpc && var.enable_nat_gateway && !var.reuse_nat_ips ? local.nat_gateway_count : 0
vpc = true
......@@ -1062,95 +1079,6 @@ resource "aws_route" "private_nat_gateway" {
}
}
resource "aws_route" "private_ipv6_egress" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? length(var.private_subnets) : 0
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0)
}
################################################################################
# Route table association
################################################################################
resource "aws_route_table_association" "private" {
count = local.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
subnet_id = element(aws_subnet.private[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
var.single_nat_gateway ? 0 : count.index,
)
}
resource "aws_route_table_association" "outpost" {
count = local.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0
subnet_id = element(aws_subnet.outpost[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
var.single_nat_gateway ? 0 : count.index,
)
}
resource "aws_route_table_association" "database" {
count = local.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
subnet_id = element(aws_subnet.database[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id),
var.create_database_subnet_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 0 : count.index : count.index,
)
}
resource "aws_route_table_association" "redshift" {
count = local.create_vpc && length(var.redshift_subnets) > 0 && false == var.enable_public_redshift ? length(var.redshift_subnets) : 0
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.private[*].id),
var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
)
}
resource "aws_route_table_association" "redshift_public" {
count = local.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.public[*].id),
var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
)
}
resource "aws_route_table_association" "elasticache" {
count = local.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0
subnet_id = element(aws_subnet.elasticache[*].id, count.index)
route_table_id = element(
coalescelist(
aws_route_table.elasticache[*].id,
aws_route_table.private[*].id,
),
var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index,
)
}
resource "aws_route_table_association" "intra" {
count = local.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0
subnet_id = element(aws_subnet.intra[*].id, count.index)
route_table_id = element(aws_route_table.intra[*].id, 0)
}
resource "aws_route_table_association" "public" {
count = local.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0
subnet_id = element(aws_subnet.public[*].id, count.index)
route_table_id = aws_route_table.public[0].id
}
################################################################################
# Customer Gateways
################################################################################
......@@ -1209,7 +1137,7 @@ resource "aws_vpn_gateway_route_propagation" "public" {
}
resource "aws_vpn_gateway_route_propagation" "private" {
count = local.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0
count = local.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_private_subnets : 0
route_table_id = element(aws_route_table.private[*].id, count.index)
vpn_gateway_id = element(
......@@ -1222,7 +1150,7 @@ resource "aws_vpn_gateway_route_propagation" "private" {
}
resource "aws_vpn_gateway_route_propagation" "intra" {
count = local.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.intra_subnets) : 0
count = local.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_intra_subnets : 0
route_table_id = element(aws_route_table.intra[*].id, count.index)
vpn_gateway_id = element(
......@@ -1235,7 +1163,7 @@ resource "aws_vpn_gateway_route_propagation" "intra" {
}
################################################################################
# Defaults
# Default VPC
################################################################################
resource "aws_default_vpc" "this" {
......@@ -1243,7 +1171,6 @@ resource "aws_default_vpc" "this" {
enable_dns_support = var.default_vpc_enable_dns_support
enable_dns_hostnames = var.default_vpc_enable_dns_hostnames
enable_classiclink = null # https://github.com/hashicorp/terraform/issues/31730
tags = merge(
{ "Name" = coalesce(var.default_vpc_name, "default") },
......@@ -1251,3 +1178,139 @@ resource "aws_default_vpc" "this" {
var.default_vpc_tags,
)
}
resource "aws_default_security_group" "this" {
count = local.create_vpc && var.manage_default_security_group ? 1 : 0
vpc_id = aws_vpc.this[0].id
dynamic "ingress" {
for_each = var.default_security_group_ingress
content {
self = lookup(ingress.value, "self", null)
cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", "")))
ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", "")))
prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", "")))
security_groups = compact(split(",", lookup(ingress.value, "security_groups", "")))
description = lookup(ingress.value, "description", null)
from_port = lookup(ingress.value, "from_port", 0)
to_port = lookup(ingress.value, "to_port", 0)
protocol = lookup(ingress.value, "protocol", "-1")
}
}
dynamic "egress" {
for_each = var.default_security_group_egress
content {
self = lookup(egress.value, "self", null)
cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "")))
ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", "")))
prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", "")))
security_groups = compact(split(",", lookup(egress.value, "security_groups", "")))
description = lookup(egress.value, "description", null)
from_port = lookup(egress.value, "from_port", 0)
to_port = lookup(egress.value, "to_port", 0)
protocol = lookup(egress.value, "protocol", "-1")
}
}
tags = merge(
{ "Name" = coalesce(var.default_security_group_name, "${var.name}-default") },
var.tags,
var.default_security_group_tags,
)
}
################################################################################
# Default Network ACLs
################################################################################
resource "aws_default_network_acl" "this" {
count = local.create_vpc && var.manage_default_network_acl ? 1 : 0
default_network_acl_id = aws_vpc.this[0].default_network_acl_id
# subnet_ids is using lifecycle ignore_changes, so it is not necessary to list
# any explicitly. See https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/736
subnet_ids = null
dynamic "ingress" {
for_each = var.default_network_acl_ingress
content {
action = ingress.value.action
cidr_block = lookup(ingress.value, "cidr_block", null)
from_port = ingress.value.from_port
icmp_code = lookup(ingress.value, "icmp_code", null)
icmp_type = lookup(ingress.value, "icmp_type", null)
ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null)
protocol = ingress.value.protocol
rule_no = ingress.value.rule_no
to_port = ingress.value.to_port
}
}
dynamic "egress" {
for_each = var.default_network_acl_egress
content {
action = egress.value.action
cidr_block = lookup(egress.value, "cidr_block", null)
from_port = egress.value.from_port
icmp_code = lookup(egress.value, "icmp_code", null)
icmp_type = lookup(egress.value, "icmp_type", null)
ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null)
protocol = egress.value.protocol
rule_no = egress.value.rule_no
to_port = egress.value.to_port
}
}
tags = merge(
{ "Name" = coalesce(var.default_network_acl_name, "${var.name}-default") },
var.tags,
var.default_network_acl_tags,
)
lifecycle {
ignore_changes = [subnet_ids]
}
}
################################################################################
# Default Route
################################################################################
resource "aws_default_route_table" "default" {
count = local.create_vpc && var.manage_default_route_table ? 1 : 0
default_route_table_id = aws_vpc.this[0].default_route_table_id
propagating_vgws = var.default_route_table_propagating_vgws
dynamic "route" {
for_each = var.default_route_table_routes
content {
# One of the following destinations must be provided
cidr_block = route.value.cidr_block
ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null)
# One of the following targets must be provided
egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null)
gateway_id = lookup(route.value, "gateway_id", null)
instance_id = lookup(route.value, "instance_id", null)
nat_gateway_id = lookup(route.value, "nat_gateway_id", null)
network_interface_id = lookup(route.value, "network_interface_id", null)
transit_gateway_id = lookup(route.value, "transit_gateway_id", null)
vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null)
vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null)
}
}
timeouts {
create = "5m"
update = "5m"
}
tags = merge(
{ "Name" = coalesce(var.default_route_table_name, "${var.name}-default") },
var.tags,
var.default_route_table_tags,
)
}
modules/vpc-endpoints/README.md
View file @ 44e6eaa1
......@@ -55,14 +55,14 @@ module "endpoints" {
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
## Modules
......
modules/vpc-endpoints/versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.28"
version = ">= 4.35"
}
}
}
outputs.tf
View file @ 44e6eaa1
locals {
redshift_route_table_ids = aws_route_table.redshift[*].id
public_route_table_ids = aws_route_table.public[*].id
private_route_table_ids = aws_route_table.private[*].id
}
################################################################################
# VPC
################################################################################
output "vpc_id" {
description = "The ID of the VPC"
value = try(aws_vpc.this[0].id, "")
value = try(aws_vpc.this[0].id, null)
}
output "vpc_arn" {
description = "The ARN of the VPC"
value = try(aws_vpc.this[0].arn, "")
value = try(aws_vpc.this[0].arn, null)
}
output "vpc_cidr_block" {
description = "The CIDR block of the VPC"
value = try(aws_vpc.this[0].cidr_block, "")
value = try(aws_vpc.this[0].cidr_block, null)
}
output "default_security_group_id" {
description = "The ID of the security group created by default on VPC creation"
value = try(aws_vpc.this[0].default_security_group_id, "")
value = try(aws_vpc.this[0].default_security_group_id, null)
}
output "default_network_acl_id" {
description = "The ID of the default network ACL"
value = try(aws_vpc.this[0].default_network_acl_id, "")
value = try(aws_vpc.this[0].default_network_acl_id, null)
}
output "default_route_table_id" {
description = "The ID of the default route table"
value = try(aws_vpc.this[0].default_route_table_id, "")
value = try(aws_vpc.this[0].default_route_table_id, null)
}
output "vpc_instance_tenancy" {
description = "Tenancy of instances spin up within VPC"
value = try(aws_vpc.this[0].instance_tenancy, "")
value = try(aws_vpc.this[0].instance_tenancy, null)
}
output "vpc_enable_dns_support" {
description = "Whether or not the VPC has DNS support"
value = try(aws_vpc.this[0].enable_dns_support, "")
value = try(aws_vpc.this[0].enable_dns_support, null)
}
output "vpc_enable_dns_hostnames" {
description = "Whether or not the VPC has DNS hostname support"
value = try(aws_vpc.this[0].enable_dns_hostnames, "")
value = try(aws_vpc.this[0].enable_dns_hostnames, null)
}
output "vpc_main_route_table_id" {
description = "The ID of the main route table associated with this VPC"
value = try(aws_vpc.this[0].main_route_table_id, "")
value = try(aws_vpc.this[0].main_route_table_id, null)
}
output "vpc_ipv6_association_id" {
description = "The association ID for the IPv6 CIDR block"
value = try(aws_vpc.this[0].ipv6_association_id, "")
value = try(aws_vpc.this[0].ipv6_association_id, null)
}
output "vpc_ipv6_cidr_block" {
description = "The IPv6 CIDR block"
value = try(aws_vpc.this[0].ipv6_cidr_block, "")
value = try(aws_vpc.this[0].ipv6_cidr_block, null)
}
output "vpc_secondary_cidr_blocks" {
......@@ -65,9 +75,90 @@ output "vpc_secondary_cidr_blocks" {
output "vpc_owner_id" {
description = "The ID of the AWS account that owns the VPC"
value = try(aws_vpc.this[0].owner_id, "")
value = try(aws_vpc.this[0].owner_id, null)
}
################################################################################
# DHCP Options Set
################################################################################
output "dhcp_options_id" {
description = "The ID of the DHCP options"
value = try(aws_vpc_dhcp_options.this[0].id, null)
}
################################################################################
# Internet Gateway
################################################################################
output "igw_id" {
description = "The ID of the Internet Gateway"
value = try(aws_internet_gateway.this[0].id, null)
}
output "igw_arn" {
description = "The ARN of the Internet Gateway"
value = try(aws_internet_gateway.this[0].arn, null)
}
################################################################################
# Publiс Subnets
################################################################################
output "public_subnets" {
description = "List of IDs of public subnets"
value = aws_subnet.public[*].id
}
output "public_subnet_arns" {
description = "List of ARNs of public subnets"
value = aws_subnet.public[*].arn
}
output "public_subnets_cidr_blocks" {
description = "List of cidr_blocks of public subnets"
value = compact(aws_subnet.public[*].cidr_block)
}
output "public_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC"
value = compact(aws_subnet.public[*].ipv6_cidr_block)
}
output "public_route_table_ids" {
description = "List of IDs of public route tables"
value = local.public_route_table_ids
}
output "public_internet_gateway_route_id" {
description = "ID of the internet gateway route"
value = try(aws_route.public_internet_gateway[0].id, null)
}
output "public_internet_gateway_ipv6_route_id" {
description = "ID of the IPv6 internet gateway route"
value = try(aws_route.public_internet_gateway_ipv6[0].id, null)
}
output "public_route_table_association_ids" {
description = "List of IDs of the public route table association"
value = aws_route_table_association.public[*].id
}
output "public_network_acl_id" {
description = "ID of the public network ACL"
value = try(aws_network_acl.public[0].id, null)
}
output "public_network_acl_arn" {
description = "ARN of the public network ACL"
value = try(aws_network_acl.public[0].arn, null)
}
################################################################################
# Private Subnets
################################################################################
output "private_subnets" {
description = "List of IDs of private subnets"
value = aws_subnet.private[*].id
......@@ -88,26 +179,40 @@ output "private_subnets_ipv6_cidr_blocks" {
value = compact(aws_subnet.private[*].ipv6_cidr_block)
}
output "public_subnets" {
description = "List of IDs of public subnets"
value = aws_subnet.public[*].id
output "private_route_table_ids" {
description = "List of IDs of private route tables"
value = local.private_route_table_ids
}
output "public_subnet_arns" {
description = "List of ARNs of public subnets"
value = aws_subnet.public[*].arn
output "private_nat_gateway_route_ids" {
description = "List of IDs of the private nat gateway route"
value = aws_route.private_nat_gateway[*].id
}
output "public_subnets_cidr_blocks" {
description = "List of cidr_blocks of public subnets"
value = compact(aws_subnet.public[*].cidr_block)
output "private_ipv6_egress_route_ids" {
description = "List of IDs of the ipv6 egress route"
value = aws_route.private_ipv6_egress[*].id
}
output "public_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC"
value = compact(aws_subnet.public[*].ipv6_cidr_block)
output "private_route_table_association_ids" {
description = "List of IDs of the private route table association"
value = aws_route_table_association.private[*].id
}
output "private_network_acl_id" {
description = "ID of the private network ACL"
value = try(aws_network_acl.private[0].id, null)
}
output "private_network_acl_arn" {
description = "ARN of the private network ACL"
value = try(aws_network_acl.private[0].arn, null)
}
################################################################################
# Outpost Subnets
################################################################################
output "outpost_subnets" {
description = "List of IDs of outpost subnets"
value = aws_subnet.outpost[*].id
......@@ -128,6 +233,20 @@ output "outpost_subnets_ipv6_cidr_blocks" {
value = compact(aws_subnet.outpost[*].ipv6_cidr_block)
}
output "outpost_network_acl_id" {
description = "ID of the outpost network ACL"
value = try(aws_network_acl.outpost[0].id, null)
}
output "outpost_network_acl_arn" {
description = "ARN of the outpost network ACL"
value = try(aws_network_acl.outpost[0].arn, null)
}
################################################################################
# Database Subnets
################################################################################
output "database_subnets" {
description = "List of IDs of database subnets"
value = aws_subnet.database[*].id
......@@ -150,14 +269,53 @@ output "database_subnets_ipv6_cidr_blocks" {
output "database_subnet_group" {
description = "ID of database subnet group"
value = try(aws_db_subnet_group.database[0].id, "")
value = try(aws_db_subnet_group.database[0].id, null)
}
output "database_subnet_group_name" {
description = "Name of database subnet group"
value = try(aws_db_subnet_group.database[0].name, "")
value = try(aws_db_subnet_group.database[0].name, null)
}
output "database_route_table_ids" {
description = "List of IDs of database route tables"
value = try(coalescelist(aws_route_table.database[*].id, local.private_route_table_ids), [])
}
output "database_internet_gateway_route_id" {
description = "ID of the database internet gateway route"
value = try(aws_route.database_internet_gateway[0].id, null)
}
output "database_nat_gateway_route_ids" {
description = "List of IDs of the database nat gateway route"
value = aws_route.database_nat_gateway[*].id
}
output "database_ipv6_egress_route_id" {
description = "ID of the database IPv6 egress route"
value = try(aws_route.database_ipv6_egress[0].id, null)
}
output "database_route_table_association_ids" {
description = "List of IDs of the database route table association"
value = aws_route_table_association.database[*].id
}
output "database_network_acl_id" {
description = "ID of the database network ACL"
value = try(aws_network_acl.database[0].id, null)
}
output "database_network_acl_arn" {
description = "ARN of the database network ACL"
value = try(aws_network_acl.database[0].arn, null)
}
################################################################################
# Redshift Subnets
################################################################################
output "redshift_subnets" {
description = "List of IDs of redshift subnets"
value = aws_subnet.redshift[*].id
......@@ -180,9 +338,38 @@ output "redshift_subnets_ipv6_cidr_blocks" {
output "redshift_subnet_group" {
description = "ID of redshift subnet group"
value = try(aws_redshift_subnet_group.redshift[0].id, "")
value = try(aws_redshift_subnet_group.redshift[0].id, null)
}
output "redshift_route_table_ids" {
description = "List of IDs of redshift route tables"
value = length(local.redshift_route_table_ids) > 0 ? local.redshift_route_table_ids : (var.enable_public_redshift ? local.public_route_table_ids : local.private_route_table_ids)
}
output "redshift_route_table_association_ids" {
description = "List of IDs of the redshift route table association"
value = aws_route_table_association.redshift[*].id
}
output "redshift_public_route_table_association_ids" {
description = "List of IDs of the public redshift route table association"
value = aws_route_table_association.redshift_public[*].id
}
output "redshift_network_acl_id" {
description = "ID of the redshift network ACL"
value = try(aws_network_acl.redshift[0].id, null)
}
output "redshift_network_acl_arn" {
description = "ARN of the redshift network ACL"
value = try(aws_network_acl.redshift[0].arn, null)
}
################################################################################
# Elasticache Subnets
################################################################################
output "elasticache_subnets" {
description = "List of IDs of elasticache subnets"
value = aws_subnet.elasticache[*].id
......@@ -203,124 +390,63 @@ output "elasticache_subnets_ipv6_cidr_blocks" {
value = compact(aws_subnet.elasticache[*].ipv6_cidr_block)
}
output "intra_subnets" {
description = "List of IDs of intra subnets"
value = aws_subnet.intra[*].id
}
output "intra_subnet_arns" {
description = "List of ARNs of intra subnets"
value = aws_subnet.intra[*].arn
}
output "intra_subnets_cidr_blocks" {
description = "List of cidr_blocks of intra subnets"
value = compact(aws_subnet.intra[*].cidr_block)
}
output "intra_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC"
value = compact(aws_subnet.intra[*].ipv6_cidr_block)
}
output "elasticache_subnet_group" {
description = "ID of elasticache subnet group"
value = try(aws_elasticache_subnet_group.elasticache[0].id, "")
value = try(aws_elasticache_subnet_group.elasticache[0].id, null)
}
output "elasticache_subnet_group_name" {
description = "Name of elasticache subnet group"
value = try(aws_elasticache_subnet_group.elasticache[0].name, "")
}
output "public_route_table_ids" {
description = "List of IDs of public route tables"
value = aws_route_table.public[*].id
}
output "private_route_table_ids" {
description = "List of IDs of private route tables"
value = aws_route_table.private[*].id
}
output "database_route_table_ids" {
description = "List of IDs of database route tables"
value = try(coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id), [])
}
output "redshift_route_table_ids" {
description = "List of IDs of redshift route tables"
value = length(aws_route_table.redshift[*].id) > 0 ? aws_route_table.redshift[*].id : (var.enable_public_redshift ? aws_route_table.public[*].id : aws_route_table.private[*].id)
value = try(aws_elasticache_subnet_group.elasticache[0].name, null)
}
output "elasticache_route_table_ids" {
description = "List of IDs of elasticache route tables"
value = try(coalescelist(aws_route_table.elasticache[*].id, aws_route_table.private[*].id), [])
}
output "intra_route_table_ids" {
description = "List of IDs of intra route tables"
value = aws_route_table.intra[*].id
}
output "public_internet_gateway_route_id" {
description = "ID of the internet gateway route"
value = try(aws_route.public_internet_gateway[0].id, "")
}
output "public_internet_gateway_ipv6_route_id" {
description = "ID of the IPv6 internet gateway route"
value = try(aws_route.public_internet_gateway_ipv6[0].id, "")
}
output "database_internet_gateway_route_id" {
description = "ID of the database internet gateway route"
value = try(aws_route.database_internet_gateway[0].id, "")
value = try(coalescelist(aws_route_table.elasticache[*].id, local.private_route_table_ids), [])
}
output "database_nat_gateway_route_ids" {
description = "List of IDs of the database nat gateway route"
value = aws_route.database_nat_gateway[*].id
output "elasticache_route_table_association_ids" {
description = "List of IDs of the elasticache route table association"
value = aws_route_table_association.elasticache[*].id
}
output "database_ipv6_egress_route_id" {
description = "ID of the database IPv6 egress route"
value = try(aws_route.database_ipv6_egress[0].id, "")
output "elasticache_network_acl_id" {
description = "ID of the elasticache network ACL"
value = try(aws_network_acl.elasticache[0].id, null)
}
output "private_nat_gateway_route_ids" {
description = "List of IDs of the private nat gateway route"
value = aws_route.private_nat_gateway[*].id
output "elasticache_network_acl_arn" {
description = "ARN of the elasticache network ACL"
value = try(aws_network_acl.elasticache[0].arn, null)
}
output "private_ipv6_egress_route_ids" {
description = "List of IDs of the ipv6 egress route"
value = aws_route.private_ipv6_egress[*].id
}
################################################################################
# Intra Subnets
################################################################################
output "private_route_table_association_ids" {
description = "List of IDs of the private route table association"
value = aws_route_table_association.private[*].id
output "intra_subnets" {
description = "List of IDs of intra subnets"
value = aws_subnet.intra[*].id
}
output "database_route_table_association_ids" {
description = "List of IDs of the database route table association"
value = aws_route_table_association.database[*].id
output "intra_subnet_arns" {
description = "List of ARNs of intra subnets"
value = aws_subnet.intra[*].arn
}
output "redshift_route_table_association_ids" {
description = "List of IDs of the redshift route table association"
value = aws_route_table_association.redshift[*].id
output "intra_subnets_cidr_blocks" {
description = "List of cidr_blocks of intra subnets"
value = compact(aws_subnet.intra[*].cidr_block)
}
output "redshift_public_route_table_association_ids" {
description = "List of IDs of the public redshift route table association"
value = aws_route_table_association.redshift_public[*].id
output "intra_subnets_ipv6_cidr_blocks" {
description = "List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC"
value = compact(aws_subnet.intra[*].ipv6_cidr_block)
}
output "elasticache_route_table_association_ids" {
description = "List of IDs of the elasticache route table association"
value = aws_route_table_association.elasticache[*].id
output "intra_route_table_ids" {
description = "List of IDs of intra route tables"
value = aws_route_table.intra[*].id
}
output "intra_route_table_association_ids" {
......@@ -328,16 +454,20 @@ output "intra_route_table_association_ids" {
value = aws_route_table_association.intra[*].id
}
output "public_route_table_association_ids" {
description = "List of IDs of the public route table association"
value = aws_route_table_association.public[*].id
output "intra_network_acl_id" {
description = "ID of the intra network ACL"
value = try(aws_network_acl.intra[0].id, null)
}
output "dhcp_options_id" {
description = "The ID of the DHCP options"
value = try(aws_vpc_dhcp_options.this[0].id, "")
output "intra_network_acl_arn" {
description = "ARN of the intra network ACL"
value = try(aws_network_acl.intra[0].arn, null)
}
################################################################################
# NAT Gateway
################################################################################
output "nat_ids" {
description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway"
value = aws_eip.nat[*].id
......@@ -353,21 +483,19 @@ output "natgw_ids" {
value = aws_nat_gateway.this[*].id
}
output "igw_id" {
description = "The ID of the Internet Gateway"
value = try(aws_internet_gateway.this[0].id, "")
}
output "igw_arn" {
description = "The ARN of the Internet Gateway"
value = try(aws_internet_gateway.this[0].arn, "")
}
################################################################################
# Egress Only Gateway
################################################################################
output "egress_only_internet_gateway_id" {
description = "The ID of the egress only Internet Gateway"
value = try(aws_egress_only_internet_gateway.this[0].id, "")
value = try(aws_egress_only_internet_gateway.this[0].id, null)
}
################################################################################
# Customer Gateway
################################################################################
output "cgw_ids" {
description = "List of IDs of Customer Gateway"
value = [for k, v in aws_customer_gateway.this : v.id]
......@@ -383,140 +511,81 @@ output "this_customer_gateway" {
value = aws_customer_gateway.this
}
################################################################################
# VPN Gateway
################################################################################
output "vgw_id" {
description = "The ID of the VPN Gateway"
value = try(aws_vpn_gateway.this[0].id, aws_vpn_gateway_attachment.this[0].vpn_gateway_id, "")
value = try(aws_vpn_gateway.this[0].id, aws_vpn_gateway_attachment.this[0].vpn_gateway_id, null)
}
output "vgw_arn" {
description = "The ARN of the VPN Gateway"
value = try(aws_vpn_gateway.this[0].arn, "")
value = try(aws_vpn_gateway.this[0].arn, null)
}
################################################################################
# Default VPC
################################################################################
output "default_vpc_id" {
description = "The ID of the Default VPC"
value = try(aws_default_vpc.this[0].id, "")
value = try(aws_default_vpc.this[0].id, null)
}
output "default_vpc_arn" {
description = "The ARN of the Default VPC"
value = try(aws_default_vpc.this[0].arn, "")
value = try(aws_default_vpc.this[0].arn, null)
}
output "default_vpc_cidr_block" {
description = "The CIDR block of the Default VPC"
value = try(aws_default_vpc.this[0].cidr_block, "")
value = try(aws_default_vpc.this[0].cidr_block, null)
}
output "default_vpc_default_security_group_id" {
description = "The ID of the security group created by default on Default VPC creation"
value = try(aws_default_vpc.this[0].default_security_group_id, "")
value = try(aws_default_vpc.this[0].default_security_group_id, null)
}
output "default_vpc_default_network_acl_id" {
description = "The ID of the default network ACL of the Default VPC"
value = try(aws_default_vpc.this[0].default_network_acl_id, "")
value = try(aws_default_vpc.this[0].default_network_acl_id, null)
}
output "default_vpc_default_route_table_id" {
description = "The ID of the default route table of the Default VPC"
value = try(aws_default_vpc.this[0].default_route_table_id, "")
value = try(aws_default_vpc.this[0].default_route_table_id, null)
}
output "default_vpc_instance_tenancy" {
description = "Tenancy of instances spin up within Default VPC"
value = try(aws_default_vpc.this[0].instance_tenancy, "")
value = try(aws_default_vpc.this[0].instance_tenancy, null)
}
output "default_vpc_enable_dns_support" {
description = "Whether or not the Default VPC has DNS support"
value = try(aws_default_vpc.this[0].enable_dns_support, "")
value = try(aws_default_vpc.this[0].enable_dns_support, null)
}
output "default_vpc_enable_dns_hostnames" {
description = "Whether or not the Default VPC has DNS hostname support"
value = try(aws_default_vpc.this[0].enable_dns_hostnames, "")
value = try(aws_default_vpc.this[0].enable_dns_hostnames, null)
}
output "default_vpc_main_route_table_id" {
description = "The ID of the main route table associated with the Default VPC"
value = try(aws_default_vpc.this[0].main_route_table_id, "")
}
output "public_network_acl_id" {
description = "ID of the public network ACL"
value = try(aws_network_acl.public[0].id, "")
}
output "public_network_acl_arn" {
description = "ARN of the public network ACL"
value = try(aws_network_acl.public[0].arn, "")
}
output "private_network_acl_id" {
description = "ID of the private network ACL"
value = try(aws_network_acl.private[0].id, "")
}
output "private_network_acl_arn" {
description = "ARN of the private network ACL"
value = try(aws_network_acl.private[0].arn, "")
}
output "outpost_network_acl_id" {
description = "ID of the outpost network ACL"
value = try(aws_network_acl.outpost[0].id, "")
}
output "outpost_network_acl_arn" {
description = "ARN of the outpost network ACL"
value = try(aws_network_acl.outpost[0].arn, "")
}
output "intra_network_acl_id" {
description = "ID of the intra network ACL"
value = try(aws_network_acl.intra[0].id, "")
}
output "intra_network_acl_arn" {
description = "ARN of the intra network ACL"
value = try(aws_network_acl.intra[0].arn, "")
}
output "database_network_acl_id" {
description = "ID of the database network ACL"
value = try(aws_network_acl.database[0].id, "")
value = try(aws_default_vpc.this[0].main_route_table_id, null)
}
output "database_network_acl_arn" {
description = "ARN of the database network ACL"
value = try(aws_network_acl.database[0].arn, "")
}
################################################################################
# VPC Flow Log
################################################################################
output "redshift_network_acl_id" {
description = "ID of the redshift network ACL"
value = try(aws_network_acl.redshift[0].id, "")
}
output "redshift_network_acl_arn" {
description = "ARN of the redshift network ACL"
value = try(aws_network_acl.redshift[0].arn, "")
}
output "elasticache_network_acl_id" {
description = "ID of the elasticache network ACL"
value = try(aws_network_acl.elasticache[0].id, "")
}
output "elasticache_network_acl_arn" {
description = "ARN of the elasticache network ACL"
value = try(aws_network_acl.elasticache[0].arn, "")
}
# VPC flow log
output "vpc_flow_log_id" {
description = "The ID of the Flow Log resource"
value = try(aws_flow_log.this[0].id, "")
value = try(aws_flow_log.this[0].id, null)
}
output "vpc_flow_log_destination_arn" {
......@@ -534,7 +603,10 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" {
value = local.flow_log_iam_role_arn
}
################################################################################
# Static values (arguments)
################################################################################
output "azs" {
description = "A list of availability zones specified as argument to this module"
value = var.azs
......
variables.tf
View file @ 44e6eaa1
################################################################################
# VPC
################################################################################
variable "create_vpc" {
description = "Controls if VPC should be created (it affects almost all resources)"
type = bool
......@@ -13,200 +17,154 @@ variable "name" {
variable "cidr" {
description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`"
type = string
default = "0.0.0.0/0"
}
variable "enable_ipv6" {
description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block."
type = bool
default = false
}
variable "private_subnet_ipv6_prefixes" {
description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "public_subnet_ipv6_prefixes" {
description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "outpost_subnet_ipv6_prefixes" {
description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "database_subnet_ipv6_prefixes" {
description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
default = "10.0.0.0/16"
}
variable "redshift_subnet_ipv6_prefixes" {
description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
variable "secondary_cidr_blocks" {
description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool"
type = list(string)
default = []
}
variable "elasticache_subnet_ipv6_prefixes" {
description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
variable "instance_tenancy" {
description = "A tenancy option for instances launched into the VPC"
type = string
default = "default"
}
variable "intra_subnet_ipv6_prefixes" {
description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
variable "azs" {
description = "A list of availability zones names or ids in the region"
type = list(string)
default = []
}
variable "assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
variable "enable_dns_hostnames" {
description = "Should be true to enable DNS hostnames in the VPC"
type = bool
default = false
default = true
}
variable "private_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
variable "enable_dns_support" {
description = "Should be true to enable DNS support in the VPC"
type = bool
default = null
default = true
}
variable "public_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
variable "enable_network_address_usage_metrics" {
description = "Determines whether network address usage metrics are enabled for the VPC"
type = bool
default = null
}
variable "outpost_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
variable "use_ipam_pool" {
description = "Determines whether IPAM pool is used for CIDR allocation"
type = bool
default = null
default = false
}
variable "database_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
variable "ipv4_ipam_pool_id" {
description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR"
type = string
default = null
}
variable "redshift_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
variable "ipv4_netmask_length" {
description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id"
type = number
default = null
}
variable "elasticache_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
variable "enable_ipv6" {
description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block"
type = bool
default = null
default = false
}
variable "intra_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
variable "ipv6_cidr" {
description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`"
type = string
default = null
}
variable "secondary_cidr_blocks" {
description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool"
type = list(string)
default = []
}
variable "instance_tenancy" {
description = "A tenancy option for instances launched into the VPC"
variable "ipv6_ipam_pool_id" {
description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`"
type = string
default = "default"
default = null
}
variable "public_subnet_suffix" {
description = "Suffix to append to public subnets name"
type = string
default = "public"
variable "ipv6_netmask_length" {
description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`"
type = number
default = null
}
variable "private_subnet_suffix" {
description = "Suffix to append to private subnets name"
variable "ipv6_cidr_block_network_border_group" {
description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones"
type = string
default = "private"
default = null
}
variable "public_subnet_names" {
description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated."
type = list(string)
default = []
variable "vpc_tags" {
description = "Additional tags for the VPC"
type = map(string)
default = {}
}
variable "private_subnet_names" {
description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated."
type = list(string)
default = []
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
}
variable "outpost_subnet_names" {
description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated."
type = list(string)
default = []
################################################################################
# DHCP Options Set
################################################################################
variable "enable_dhcp_options" {
description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type"
type = bool
default = false
}
variable "intra_subnet_names" {
description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated."
type = list(string)
default = []
variable "dhcp_options_domain_name" {
description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)"
type = string
default = ""
}
variable "database_subnet_names" {
description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated."
variable "dhcp_options_domain_name_servers" {
description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)"
type = list(string)
default = []
default = ["AmazonProvidedDNS"]
}
variable "redshift_subnet_names" {
description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated."
variable "dhcp_options_ntp_servers" {
description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)"
type = list(string)
default = []
}
variable "elasticache_subnet_names" {
description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated."
variable "dhcp_options_netbios_name_servers" {
description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)"
type = list(string)
default = []
}
variable "outpost_subnet_suffix" {
description = "Suffix to append to outpost subnets name"
type = string
default = "outpost"
}
variable "intra_subnet_suffix" {
description = "Suffix to append to intra subnets name"
type = string
default = "intra"
}
variable "database_subnet_suffix" {
description = "Suffix to append to database subnets name"
variable "dhcp_options_netbios_node_type" {
description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)"
type = string
default = "db"
default = ""
}
variable "redshift_subnet_suffix" {
description = "Suffix to append to redshift subnets name"
type = string
default = "redshift"
variable "dhcp_options_tags" {
description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)"
type = map(string)
default = {}
}
variable "elasticache_subnet_suffix" {
description = "Suffix to append to elasticache subnets name"
type = string
default = "elasticache"
}
################################################################################
# Publiс Subnets
################################################################################
variable "public_subnets" {
description = "A list of public subnets inside the VPC"
......@@ -214,683 +172,803 @@ variable "public_subnets" {
default = []
}
variable "private_subnets" {
description = "A list of private subnets inside the VPC"
type = list(string)
default = []
}
variable "outpost_subnets" {
description = "A list of outpost subnets inside the VPC"
type = list(string)
default = []
variable "public_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "database_subnets" {
description = "A list of database subnets"
type = list(string)
default = []
variable "public_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = true
}
variable "redshift_subnets" {
description = "A list of redshift subnets"
type = list(string)
default = []
variable "public_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = true
}
variable "elasticache_subnets" {
description = "A list of elasticache subnets"
type = list(string)
default = []
variable "public_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "intra_subnets" {
description = "A list of intra subnets"
variable "public_subnet_ipv6_prefixes" {
description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "create_database_subnet_route_table" {
description = "Controls if separate route table for database should be created"
variable "public_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "create_redshift_subnet_route_table" {
description = "Controls if separate route table for redshift should be created"
variable "map_public_ip_on_launch" {
description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`"
type = bool
default = false
}
variable "enable_public_redshift" {
description = "Controls if redshift should have public routing table"
type = bool
default = false
variable "public_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "create_elasticache_subnet_route_table" {
description = "Controls if separate route table for elasticache should be created"
type = bool
default = false
variable "public_subnet_names" {
description = "Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "create_database_subnet_group" {
description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)"
type = bool
default = true
variable "public_subnet_suffix" {
description = "Suffix to append to public subnets name"
type = string
default = "public"
}
variable "create_elasticache_subnet_group" {
description = "Controls if elasticache subnet group should be created"
type = bool
default = true
variable "public_subnet_tags" {
description = "Additional tags for the public subnets"
type = map(string)
default = {}
}
variable "create_redshift_subnet_group" {
description = "Controls if redshift subnet group should be created"
type = bool
default = true
variable "public_subnet_tags_per_az" {
description = "Additional tags for the public subnets where the primary key is the AZ"
type = map(map(string))
default = {}
}
variable "create_database_internet_gateway_route" {
description = "Controls if an internet gateway route for public database access should be created"
variable "public_route_table_tags" {
description = "Additional tags for the public route tables"
type = map(string)
default = {}
}
################################################################################
# Public Network ACLs
################################################################################
variable "public_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets"
type = bool
default = false
}
variable "create_database_nat_gateway_route" {
description = "Controls if a nat gateway route should be created to give internet access to the database subnets"
type = bool
default = false
variable "public_inbound_acl_rules" {
description = "Public subnets inbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "azs" {
description = "A list of availability zones names or ids in the region"
variable "public_outbound_acl_rules" {
description = "Public subnets outbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "public_acl_tags" {
description = "Additional tags for the public subnets network ACL"
type = map(string)
default = {}
}
################################################################################
# Private Subnets
################################################################################
variable "private_subnets" {
description = "A list of private subnets inside the VPC"
type = list(string)
default = []
}
variable "enable_dns_hostnames" {
description = "Should be true to enable DNS hostnames in the VPC"
variable "private_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "enable_dns_support" {
description = "Should be true to enable DNS support in the VPC"
variable "private_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = true
}
# tflint-ignore: terraform_unused_declarations
variable "enable_classiclink" {
description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic."
type = bool
default = null
}
# tflint-ignore: terraform_unused_declarations
variable "enable_classiclink_dns_support" {
description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic."
variable "private_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = null
default = true
}
variable "enable_nat_gateway" {
description = "Should be true if you want to provision NAT Gateways for each of your private networks"
variable "private_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "nat_gateway_destination_cidr_block" {
description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route."
type = string
default = "0.0.0.0/0"
}
variable "single_nat_gateway" {
description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
type = bool
default = false
variable "private_subnet_ipv6_prefixes" {
description = "Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "one_nat_gateway_per_az" {
description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`."
variable "private_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "reuse_nat_ips" {
description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable"
type = bool
default = false
variable "private_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "external_nat_ip_ids" {
description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)"
variable "private_subnet_names" {
description = "Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "external_nat_ips" {
description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)"
type = list(string)
default = []
variable "private_subnet_suffix" {
description = "Suffix to append to private subnets name"
type = string
default = "private"
}
variable "map_public_ip_on_launch" {
description = "Should be false if you do not want to auto-assign public IP on launch"
type = bool
default = true
variable "private_subnet_tags" {
description = "Additional tags for the private subnets"
type = map(string)
default = {}
}
variable "customer_gateways" {
description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)"
type = map(map(any))
variable "private_subnet_tags_per_az" {
description = "Additional tags for the private subnets where the primary key is the AZ"
type = map(map(string))
default = {}
}
variable "enable_vpn_gateway" {
description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC"
variable "private_route_table_tags" {
description = "Additional tags for the private route tables"
type = map(string)
default = {}
}
################################################################################
# Private Network ACLs
################################################################################
variable "private_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets"
type = bool
default = false
}
variable "vpn_gateway_id" {
description = "ID of VPN Gateway to attach to the VPC"
type = string
default = ""
variable "private_inbound_acl_rules" {
description = "Private subnets inbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "amazon_side_asn" {
description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN."
type = string
default = "64512"
variable "private_outbound_acl_rules" {
description = "Private subnets outbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "vpn_gateway_az" {
description = "The Availability Zone for the VPN Gateway"
type = string
default = null
variable "private_acl_tags" {
description = "Additional tags for the private subnets network ACL"
type = map(string)
default = {}
}
variable "propagate_intra_route_tables_vgw" {
description = "Should be true if you want route table propagation"
################################################################################
# Database Subnets
################################################################################
variable "database_subnets" {
description = "A list of database subnets inside the VPC"
type = list(string)
default = []
}
variable "database_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "propagate_private_route_tables_vgw" {
description = "Should be true if you want route table propagation"
variable "database_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = false
default = true
}
variable "propagate_public_route_tables_vgw" {
description = "Should be true if you want route table propagation"
variable "database_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = true
}
variable "database_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "manage_default_route_table" {
description = "Should be true to manage default route table"
variable "database_subnet_ipv6_prefixes" {
description = "Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "database_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "default_route_table_name" {
description = "Name to be used on the default route table"
variable "database_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "default_route_table_propagating_vgws" {
description = "List of virtual gateways for propagation"
variable "database_subnet_names" {
description = "Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "default_route_table_routes" {
description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route"
type = list(map(string))
default = []
variable "database_subnet_suffix" {
description = "Suffix to append to database subnets name"
type = string
default = "db"
}
variable "default_route_table_tags" {
description = "Additional tags for the default route table"
type = map(string)
default = {}
variable "create_database_subnet_route_table" {
description = "Controls if separate route table for database should be created"
type = bool
default = false
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
default = {}
variable "create_database_internet_gateway_route" {
description = "Controls if an internet gateway route for public database access should be created"
type = bool
default = false
}
variable "vpc_tags" {
description = "Additional tags for the VPC"
type = map(string)
default = {}
variable "create_database_nat_gateway_route" {
description = "Controls if a nat gateway route should be created to give internet access to the database subnets"
type = bool
default = false
}
variable "igw_tags" {
description = "Additional tags for the internet gateway"
variable "database_route_table_tags" {
description = "Additional tags for the database route tables"
type = map(string)
default = {}
}
variable "public_subnet_tags" {
description = "Additional tags for the public subnets"
variable "database_subnet_tags" {
description = "Additional tags for the database subnets"
type = map(string)
default = {}
}
variable "public_subnet_tags_per_az" {
description = "Additional tags for the public subnets where the primary key is the AZ"
type = map(map(string))
default = {}
}
variable "private_subnet_tags" {
description = "Additional tags for the private subnets"
type = map(string)
default = {}
variable "create_database_subnet_group" {
description = "Controls if database subnet group should be created (n.b. database_subnets must also be set)"
type = bool
default = true
}
variable "private_subnet_tags_per_az" {
description = "Additional tags for the private subnets where the primary key is the AZ"
type = map(map(string))
default = {}
variable "database_subnet_group_name" {
description = "Name of database subnet group"
type = string
default = null
}
variable "outpost_subnet_tags" {
description = "Additional tags for the outpost subnets"
variable "database_subnet_group_tags" {
description = "Additional tags for the database subnet group"
type = map(string)
default = {}
}
variable "public_route_table_tags" {
description = "Additional tags for the public route tables"
type = map(string)
default = {}
}
################################################################################
# Database Network ACLs
################################################################################
variable "private_route_table_tags" {
description = "Additional tags for the private route tables"
type = map(string)
default = {}
variable "database_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets"
type = bool
default = false
}
variable "database_route_table_tags" {
description = "Additional tags for the database route tables"
type = map(string)
default = {}
variable "database_inbound_acl_rules" {
description = "Database subnets inbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "redshift_route_table_tags" {
description = "Additional tags for the redshift route tables"
type = map(string)
default = {}
variable "database_outbound_acl_rules" {
description = "Database subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "elasticache_route_table_tags" {
description = "Additional tags for the elasticache route tables"
variable "database_acl_tags" {
description = "Additional tags for the database subnets network ACL"
type = map(string)
default = {}
}
variable "intra_route_table_tags" {
description = "Additional tags for the intra route tables"
type = map(string)
default = {}
################################################################################
# Redshift Subnets
################################################################################
variable "redshift_subnets" {
description = "A list of redshift subnets inside the VPC"
type = list(string)
default = []
}
variable "database_subnet_group_name" {
description = "Name of database subnet group"
type = string
default = null
variable "redshift_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "database_subnet_tags" {
description = "Additional tags for the database subnets"
type = map(string)
default = {}
variable "redshift_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = true
}
variable "database_subnet_group_tags" {
description = "Additional tags for the database subnet group"
type = map(string)
default = {}
variable "redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = true
}
variable "redshift_subnet_tags" {
description = "Additional tags for the redshift subnets"
type = map(string)
default = {}
variable "redshift_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "redshift_subnet_group_name" {
description = "Name of redshift subnet group"
type = string
default = null
variable "redshift_subnet_ipv6_prefixes" {
description = "Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "redshift_subnet_group_tags" {
description = "Additional tags for the redshift subnet group"
type = map(string)
default = {}
variable "redshift_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "elasticache_subnet_group_name" {
description = "Name of elasticache subnet group"
variable "redshift_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "elasticache_subnet_group_tags" {
description = "Additional tags for the elasticache subnet group"
type = map(string)
default = {}
}
variable "elasticache_subnet_tags" {
description = "Additional tags for the elasticache subnets"
type = map(string)
default = {}
variable "redshift_subnet_names" {
description = "Explicit values to use in the Name tag on redshift subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "intra_subnet_tags" {
description = "Additional tags for the intra subnets"
type = map(string)
default = {}
variable "redshift_subnet_suffix" {
description = "Suffix to append to redshift subnets name"
type = string
default = "redshift"
}
variable "public_acl_tags" {
description = "Additional tags for the public subnets network ACL"
type = map(string)
default = {}
variable "enable_public_redshift" {
description = "Controls if redshift should have public routing table"
type = bool
default = false
}
variable "private_acl_tags" {
description = "Additional tags for the private subnets network ACL"
type = map(string)
default = {}
variable "create_redshift_subnet_route_table" {
description = "Controls if separate route table for redshift should be created"
type = bool
default = false
}
variable "outpost_acl_tags" {
description = "Additional tags for the outpost subnets network ACL"
variable "redshift_route_table_tags" {
description = "Additional tags for the redshift route tables"
type = map(string)
default = {}
}
variable "intra_acl_tags" {
description = "Additional tags for the intra subnets network ACL"
variable "redshift_subnet_tags" {
description = "Additional tags for the redshift subnets"
type = map(string)
default = {}
}
variable "database_acl_tags" {
description = "Additional tags for the database subnets network ACL"
type = map(string)
default = {}
variable "create_redshift_subnet_group" {
description = "Controls if redshift subnet group should be created"
type = bool
default = true
}
variable "redshift_acl_tags" {
description = "Additional tags for the redshift subnets network ACL"
type = map(string)
default = {}
variable "redshift_subnet_group_name" {
description = "Name of redshift subnet group"
type = string
default = null
}
variable "elasticache_acl_tags" {
description = "Additional tags for the elasticache subnets network ACL"
variable "redshift_subnet_group_tags" {
description = "Additional tags for the redshift subnet group"
type = map(string)
default = {}
}
variable "dhcp_options_tags" {
description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)"
type = map(string)
default = {}
}
################################################################################
# Redshift Network ACLs
################################################################################
variable "nat_gateway_tags" {
description = "Additional tags for the NAT gateways"
type = map(string)
default = {}
variable "redshift_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets"
type = bool
default = false
}
variable "nat_eip_tags" {
description = "Additional tags for the NAT EIP"
type = map(string)
default = {}
variable "redshift_inbound_acl_rules" {
description = "Redshift subnets inbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "customer_gateway_tags" {
description = "Additional tags for the Customer Gateway"
type = map(string)
default = {}
variable "redshift_outbound_acl_rules" {
description = "Redshift subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "vpn_gateway_tags" {
description = "Additional tags for the VPN gateway"
variable "redshift_acl_tags" {
description = "Additional tags for the redshift subnets network ACL"
type = map(string)
default = {}
}
variable "vpc_flow_log_tags" {
description = "Additional tags for the VPC Flow Logs"
type = map(string)
default = {}
}
################################################################################
# Elasticache Subnets
################################################################################
variable "vpc_flow_log_permissions_boundary" {
description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
type = string
default = null
variable "elasticache_subnets" {
description = "A list of elasticache subnets inside the VPC"
type = list(string)
default = []
}
variable "enable_dhcp_options" {
description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type"
variable "elasticache_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "dhcp_options_domain_name" {
description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)"
type = string
default = ""
variable "elasticache_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = true
}
variable "dhcp_options_domain_name_servers" {
description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)"
type = list(string)
default = ["AmazonProvidedDNS"]
variable "elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = true
}
variable "dhcp_options_ntp_servers" {
description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)"
type = list(string)
default = []
variable "elasticache_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "dhcp_options_netbios_name_servers" {
description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)"
variable "elasticache_subnet_ipv6_prefixes" {
description = "Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "dhcp_options_netbios_node_type" {
description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)"
type = string
default = ""
}
variable "manage_default_vpc" {
description = "Should be true to adopt and manage Default VPC"
variable "elasticache_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "default_vpc_name" {
description = "Name to be used on the Default VPC"
variable "elasticache_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "default_vpc_enable_dns_support" {
description = "Should be true to enable DNS support in the Default VPC"
type = bool
default = true
variable "elasticache_subnet_names" {
description = "Explicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "default_vpc_enable_dns_hostnames" {
description = "Should be true to enable DNS hostnames in the Default VPC"
type = bool
default = false
variable "elasticache_subnet_suffix" {
description = "Suffix to append to elasticache subnets name"
type = string
default = "elasticache"
}
# tflint-ignore: terraform_unused_declarations
variable "default_vpc_enable_classiclink" {
description = "[DEPRECATED](https://github.com/hashicorp/terraform/issues/31730) Should be true to enable ClassicLink in the Default VPC"
variable "elasticache_subnet_tags" {
description = "Additional tags for the elasticache subnets"
type = map(string)
default = {}
}
variable "create_elasticache_subnet_route_table" {
description = "Controls if separate route table for elasticache should be created"
type = bool
default = false
}
variable "default_vpc_tags" {
description = "Additional tags for the Default VPC"
variable "elasticache_route_table_tags" {
description = "Additional tags for the elasticache route tables"
type = map(string)
default = {}
}
variable "manage_default_network_acl" {
description = "Should be true to adopt and manage Default Network ACL"
variable "create_elasticache_subnet_group" {
description = "Controls if elasticache subnet group should be created"
type = bool
default = false
default = true
}
variable "default_network_acl_name" {
description = "Name to be used on the Default Network ACL"
variable "elasticache_subnet_group_name" {
description = "Name of elasticache subnet group"
type = string
default = null
}
variable "default_network_acl_tags" {
description = "Additional tags for the Default Network ACL"
variable "elasticache_subnet_group_tags" {
description = "Additional tags for the elasticache subnet group"
type = map(string)
default = {}
}
variable "public_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets"
################################################################################
# Elasticache Network ACLs
################################################################################
variable "elasticache_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets"
type = bool
default = false
}
variable "private_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets"
type = bool
default = false
variable "elasticache_inbound_acl_rules" {
description = "Elasticache subnets inbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "outpost_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets"
variable "elasticache_outbound_acl_rules" {
description = "Elasticache subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "elasticache_acl_tags" {
description = "Additional tags for the elasticache subnets network ACL"
type = map(string)
default = {}
}
################################################################################
# Intra Subnets
################################################################################
variable "intra_subnets" {
description = "A list of intra subnets inside the VPC"
type = list(string)
default = []
}
variable "intra_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "intra_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets"
variable "intra_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = false
default = true
}
variable "database_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets"
variable "intra_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = false
default = true
}
variable "redshift_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets"
variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "elasticache_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets"
variable "intra_subnet_ipv6_prefixes" {
description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "intra_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "default_network_acl_ingress" {
description = "List of maps of ingress rules to set on the Default Network ACL"
type = list(map(string))
variable "intra_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
default = [
{
rule_no = 100
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
{
rule_no = 101
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_block = "::/0"
},
]
variable "intra_subnet_names" {
description = "Explicit values to use in the Name tag on intra subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "default_network_acl_egress" {
description = "List of maps of egress rules to set on the Default Network ACL"
type = list(map(string))
variable "intra_subnet_suffix" {
description = "Suffix to append to intra subnets name"
type = string
default = "intra"
}
default = [
{
rule_no = 100
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
{
rule_no = 101
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
ipv6_cidr_block = "::/0"
},
]
variable "intra_subnet_tags" {
description = "Additional tags for the intra subnets"
type = map(string)
default = {}
}
variable "public_inbound_acl_rules" {
description = "Public subnets inbound network ACLs"
type = list(map(string))
variable "intra_route_table_tags" {
description = "Additional tags for the intra route tables"
type = map(string)
default = {}
}
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
################################################################################
# Intra Network ACLs
################################################################################
variable "intra_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets"
type = bool
default = false
}
variable "public_outbound_acl_rules" {
description = "Public subnets outbound network ACLs"
variable "intra_inbound_acl_rules" {
description = "Intra subnets inbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
......@@ -903,10 +981,9 @@ variable "public_outbound_acl_rules" {
]
}
variable "private_inbound_acl_rules" {
description = "Private subnets inbound network ACLs"
variable "intra_outbound_acl_rules" {
description = "Intra subnets outbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
......@@ -919,26 +996,119 @@ variable "private_inbound_acl_rules" {
]
}
variable "private_outbound_acl_rules" {
description = "Private subnets outbound network ACLs"
type = list(map(string))
variable "intra_acl_tags" {
description = "Additional tags for the intra subnets network ACL"
type = map(string)
default = {}
}
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
################################################################################
# Outpost Subnets
################################################################################
variable "outpost_subnets" {
description = "A list of outpost subnets inside the VPC"
type = list(string)
default = []
}
variable "outpost_subnet_assign_ipv6_address_on_creation" {
description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`"
type = bool
default = false
}
variable "outpost_az" {
description = "AZ where Outpost is anchored"
type = string
default = null
}
variable "customer_owned_ipv4_pool" {
description = "The customer owned IPv4 address pool. Typically used with the `map_customer_owned_ip_on_launch` argument. The `outpost_arn` argument must be specified when configured"
type = string
default = null
}
variable "outpost_subnet_enable_dns64" {
description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`"
type = bool
default = true
}
variable "outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`"
type = bool
default = true
}
variable "outpost_subnet_enable_resource_name_dns_a_record_on_launch" {
description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`"
type = bool
default = false
}
variable "outpost_subnet_ipv6_prefixes" {
description = "Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list"
type = list(string)
default = []
}
variable "outpost_subnet_ipv6_native" {
description = "Indicates whether to create an IPv6-only subnet. Default: `false`"
type = bool
default = false
}
variable "map_customer_owned_ip_on_launch" {
description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`"
type = bool
default = false
}
variable "outpost_arn" {
description = "ARN of Outpost you want to create a subnet in"
type = string
default = null
}
variable "outpost_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
default = null
}
variable "outpost_subnet_names" {
description = "Explicit values to use in the Name tag on outpost subnets. If empty, Name tags are generated"
type = list(string)
default = []
}
variable "outpost_subnet_suffix" {
description = "Suffix to append to outpost subnets name"
type = string
default = "outpost"
}
variable "outpost_subnet_tags" {
description = "Additional tags for the outpost subnets"
type = map(string)
default = {}
}
################################################################################
# Outpost Network ACLs
################################################################################
variable "outpost_dedicated_network_acl" {
description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets"
type = bool
default = false
}
variable "outpost_inbound_acl_rules" {
description = "Outpost subnets inbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
......@@ -954,7 +1124,6 @@ variable "outpost_inbound_acl_rules" {
variable "outpost_outbound_acl_rules" {
description = "Outpost subnets outbound network ACLs"
type = list(map(string))
default = [
{
rule_number = 100
......@@ -967,322 +1136,439 @@ variable "outpost_outbound_acl_rules" {
]
}
variable "intra_inbound_acl_rules" {
description = "Intra subnets inbound network ACLs"
variable "outpost_acl_tags" {
description = "Additional tags for the outpost subnets network ACL"
type = map(string)
default = {}
}
################################################################################
# Internet Gateway
################################################################################
variable "create_igw" {
description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them"
type = bool
default = true
}
variable "create_egress_only_igw" {
description = "Controls if an Egress Only Internet Gateway is created and its related routes"
type = bool
default = true
}
variable "igw_tags" {
description = "Additional tags for the internet gateway"
type = map(string)
default = {}
}
################################################################################
# NAT Gateway
################################################################################
variable "enable_nat_gateway" {
description = "Should be true if you want to provision NAT Gateways for each of your private networks"
type = bool
default = false
}
variable "nat_gateway_destination_cidr_block" {
description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route"
type = string
default = "0.0.0.0/0"
}
variable "single_nat_gateway" {
description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
type = bool
default = false
}
variable "one_nat_gateway_per_az" {
description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`"
type = bool
default = false
}
variable "reuse_nat_ips" {
description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable"
type = bool
default = false
}
variable "external_nat_ip_ids" {
description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)"
type = list(string)
default = []
}
variable "external_nat_ips" {
description = "List of EIPs to be used for `nat_public_ips` output (used in combination with reuse_nat_ips and external_nat_ip_ids)"
type = list(string)
default = []
}
variable "nat_gateway_tags" {
description = "Additional tags for the NAT gateways"
type = map(string)
default = {}
}
variable "nat_eip_tags" {
description = "Additional tags for the NAT EIP"
type = map(string)
default = {}
}
################################################################################
# Customer Gateways
################################################################################
variable "customer_gateways" {
description = "Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)"
type = map(map(any))
default = {}
}
variable "customer_gateway_tags" {
description = "Additional tags for the Customer Gateway"
type = map(string)
default = {}
}
################################################################################
# VPN Gateway
################################################################################
variable "enable_vpn_gateway" {
description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC"
type = bool
default = false
}
variable "vpn_gateway_id" {
description = "ID of VPN Gateway to attach to the VPC"
type = string
default = ""
}
variable "amazon_side_asn" {
description = "The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN"
type = string
default = "64512"
}
variable "vpn_gateway_az" {
description = "The Availability Zone for the VPN Gateway"
type = string
default = null
}
variable "propagate_intra_route_tables_vgw" {
description = "Should be true if you want route table propagation"
type = bool
default = false
}
variable "propagate_private_route_tables_vgw" {
description = "Should be true if you want route table propagation"
type = bool
default = false
}
variable "propagate_public_route_tables_vgw" {
description = "Should be true if you want route table propagation"
type = bool
default = false
}
variable "vpn_gateway_tags" {
description = "Additional tags for the VPN gateway"
type = map(string)
default = {}
}
################################################################################
# Default VPC
################################################################################
variable "manage_default_vpc" {
description = "Should be true to adopt and manage Default VPC"
type = bool
default = false
}
variable "default_vpc_name" {
description = "Name to be used on the Default VPC"
type = string
default = null
}
variable "default_vpc_enable_dns_support" {
description = "Should be true to enable DNS support in the Default VPC"
type = bool
default = true
}
variable "default_vpc_enable_dns_hostnames" {
description = "Should be true to enable DNS hostnames in the Default VPC"
type = bool
default = true
}
variable "default_vpc_tags" {
description = "Additional tags for the Default VPC"
type = map(string)
default = {}
}
variable "manage_default_security_group" {
description = "Should be true to adopt and manage default security group"
type = bool
default = true
}
variable "default_security_group_name" {
description = "Name to be used on the default security group"
type = string
default = null
}
variable "default_security_group_ingress" {
description = "List of maps of ingress rules to set on the default security group"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
default = []
}
variable "intra_outbound_acl_rules" {
description = "Intra subnets outbound network ACLs"
variable "default_security_group_egress" {
description = "List of maps of egress rules to set on the default security group"
type = list(map(string))
default = []
}
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
variable "default_security_group_tags" {
description = "Additional tags for the default security group"
type = map(string)
default = {}
}
variable "database_inbound_acl_rules" {
description = "Database subnets inbound network ACL rules"
type = list(map(string))
################################################################################
# Default Network ACLs
################################################################################
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
variable "manage_default_network_acl" {
description = "Should be true to adopt and manage Default Network ACL"
type = bool
default = true
}
variable "database_outbound_acl_rules" {
description = "Database subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
variable "default_network_acl_name" {
description = "Name to be used on the Default Network ACL"
type = string
default = null
}
variable "redshift_inbound_acl_rules" {
description = "Redshift subnets inbound network ACL rules"
variable "default_network_acl_ingress" {
description = "List of maps of ingress rules to set on the Default Network ACL"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
rule_no = 100
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "redshift_outbound_acl_rules" {
description = "Redshift subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
rule_no = 101
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
ipv6_cidr_block = "::/0"
},
]
}
variable "elasticache_inbound_acl_rules" {
description = "Elasticache subnets inbound network ACL rules"
variable "default_network_acl_egress" {
description = "List of maps of egress rules to set on the Default Network ACL"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
rule_no = 100
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
},
]
}
variable "elasticache_outbound_acl_rules" {
description = "Elasticache subnets outbound network ACL rules"
type = list(map(string))
default = [
{
rule_number = 100
rule_action = "allow"
rule_no = 101
action = "allow"
from_port = 0
to_port = 0
protocol = "-1"
cidr_block = "0.0.0.0/0"
ipv6_cidr_block = "::/0"
},
]
}
variable "manage_default_security_group" {
description = "Should be true to adopt and manage default security group"
variable "default_network_acl_tags" {
description = "Additional tags for the Default Network ACL"
type = map(string)
default = {}
}
################################################################################
# Default Route
################################################################################
variable "manage_default_route_table" {
description = "Should be true to manage default route table"
type = bool
default = false
default = true
}
variable "default_security_group_name" {
description = "Name to be used on the default security group"
variable "default_route_table_name" {
description = "Name to be used on the default route table"
type = string
default = null
}
variable "default_security_group_ingress" {
description = "List of maps of ingress rules to set on the default security group"
type = list(map(string))
variable "default_route_table_propagating_vgws" {
description = "List of virtual gateways for propagation"
type = list(string)
default = []
}
variable "enable_flow_log" {
description = "Whether or not to enable VPC Flow Logs"
type = bool
default = false
}
variable "default_security_group_egress" {
description = "List of maps of egress rules to set on the default security group"
variable "default_route_table_routes" {
description = "Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route"
type = list(map(string))
default = []
}
variable "default_security_group_tags" {
description = "Additional tags for the default security group"
variable "default_route_table_tags" {
description = "Additional tags for the default route table"
type = map(string)
default = {}
}
variable "create_flow_log_cloudwatch_log_group" {
description = "Whether to create CloudWatch log group for VPC Flow Logs"
################################################################################
# Flow Log
################################################################################
variable "enable_flow_log" {
description = "Whether or not to enable VPC Flow Logs"
type = bool
default = false
}
variable "create_flow_log_cloudwatch_iam_role" {
description = "Whether to create IAM role for VPC Flow Logs"
type = bool
default = false
variable "vpc_flow_log_permissions_boundary" {
description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role"
type = string
default = null
}
variable "flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
type = number
default = 600
}
variable "flow_log_traffic_type" {
description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL."
description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
type = string
default = "ALL"
}
variable "flow_log_destination_type" {
description = "Type of flow log destination. Can be s3 or cloud-watch-logs."
description = "Type of flow log destination. Can be s3 or cloud-watch-logs"
type = string
default = "cloud-watch-logs"
}
variable "flow_log_log_format" {
description = "The fields to include in the flow log record, in the order in which they should appear."
description = "The fields to include in the flow log record, in the order in which they should appear"
type = string
default = null
}
variable "flow_log_destination_arn" {
description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided."
type = string
default = ""
}
variable "flow_log_cloudwatch_iam_role_arn" {
description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided."
type = string
default = ""
}
variable "flow_log_cloudwatch_log_group_name_prefix" {
description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs."
type = string
default = "/aws/vpc-flow-log/"
}
variable "flow_log_cloudwatch_log_group_name_suffix" {
description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs."
description = "The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided"
type = string
default = ""
}
variable "flow_log_cloudwatch_log_group_retention_in_days" {
description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs."
type = number
default = null
}
variable "flow_log_cloudwatch_log_group_kms_key_id" {
description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs."
variable "flow_log_file_format" {
description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
type = string
default = null
}
variable "flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds."
type = number
default = 600
}
variable "create_igw" {
description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them."
variable "flow_log_hive_compatible_partitions" {
description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3"
type = bool
default = true
default = false
}
variable "create_egress_only_igw" {
description = "Controls if an Egress Only Internet Gateway is created and its related routes."
variable "flow_log_per_hour_partition" {
description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries"
type = bool
default = true
}
variable "outpost_arn" {
description = "ARN of Outpost you want to create a subnet in."
type = string
default = null
}
variable "outpost_az" {
description = "AZ where Outpost is anchored."
type = string
default = null
default = false
}
variable "flow_log_file_format" {
description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`."
type = string
default = "plain-text"
validation {
condition = can(regex("^(plain-text|parquet)$",
var.flow_log_file_format))
error_message = "ERROR valid values: plain-text, parquet."
}
variable "vpc_flow_log_tags" {
description = "Additional tags for the VPC Flow Logs"
type = map(string)
default = {}
}
variable "flow_log_hive_compatible_partitions" {
description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3."
type = bool
default = false
}
################################################################################
# Flow Log CloudWatch
################################################################################
variable "flow_log_per_hour_partition" {
description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries."
variable "create_flow_log_cloudwatch_log_group" {
description = "Whether to create CloudWatch log group for VPC Flow Logs"
type = bool
default = false
}
variable "use_ipam_pool" {
description = "Determines whether IPAM pool is used for CIDR allocation"
variable "create_flow_log_cloudwatch_iam_role" {
description = "Whether to create IAM role for VPC Flow Logs"
type = bool
default = false
}
variable "ipv4_ipam_pool_id" {
description = "(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR."
variable "flow_log_cloudwatch_iam_role_arn" {
description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided"
type = string
default = null
default = ""
}
variable "ipv4_netmask_length" {
description = "(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id."
type = number
default = null
variable "flow_log_cloudwatch_log_group_name_prefix" {
description = "Specifies the name prefix of CloudWatch Log Group for VPC flow logs"
type = string
default = "/aws/vpc-flow-log/"
}
variable "ipv6_cidr" {
description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`."
variable "flow_log_cloudwatch_log_group_name_suffix" {
description = "Specifies the name suffix of CloudWatch Log Group for VPC flow logs"
type = string
default = null
default = ""
}
variable "ipv6_ipam_pool_id" {
description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`."
type = string
variable "flow_log_cloudwatch_log_group_retention_in_days" {
description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs"
type = number
default = null
}
variable "ipv6_netmask_length" {
description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`."
type = number
variable "flow_log_cloudwatch_log_group_kms_key_id" {
description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs"
type = string
default = null
}
......
versions.tf
View file @ 44e6eaa1
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.73"
version = ">= 4.35"
}
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment