feat!: Support enabling NAU metrics in "aws_vpc" resource (#838)

Co-authored-by: Tomasz Charewicz <tomasz.charewicz@ringieraxelspringer.pl> Co-authored-by: Anton Babenko <anton@antonbabenko.com> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

feat!: Support enabling NAU metrics in "aws_vpc" resource (#838)
Co-authored-by: Tomasz Charewicz <tomasz.charewicz@ringieraxelspringer.pl> Co-authored-by: Anton Babenko <anton@antonbabenko.com> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
44e6eaa1 · Tomasz Charewicz · GitHub · 7010e70b · 44e6eaa1 · 44e6eaa1
Commit 44e6eaa1 authored Apr 07, 2023 by Tomasz Charewicz Committed by GitHub Apr 07, 2023
58 changed files
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
 repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.77.0
+    rev: v1.77.1
    hooks:
      - id: terraform_fmt
      - id: terraform_validate

--- a/README.md
+++ b/README.md
--- a/UPGRADE-4.0.md
+++ b/UPGRADE-4.0.md
+# Upgrade from v3.x to v4.x
+
+If you have any questions regarding this upgrade process, please consult the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/) directory:
+
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- The minimum required Terraform version is now 1.0
+- The minimum required AWS provider version is now 4.x (4.35.0 at time of writing)
+- `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`)
+- `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
+- `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
+
+## Additional changes
+
+### Modified
+
+- `map_public_ip_on_launch` now defaults to `false`
+- `enable_dns_hostnames` now defaults to `true`
+- `enable_dns_support` now defaults to `true`
+- `manage_default_security_group` now defaults to `true`
+- `manage_default_route_table` now defaults to `true`
+- `manage_default_network_acl` now defaults to `true`
+- The default name for the default security group, route table, and network ACL has changed to fallback to append `-default` to the VPC name if a specific name is not provided
+- The default fallback value for outputs has changed from an empty string to `null`
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `assign_ipv6_address_on_creation` has been removed; use the respective subnet type equivalent instead (i.e. - `public_subnet_assign_ipv6_address_on_creation`)
+    - `enable_classiclink` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
+    - `enable_classiclink_dns_support` has been removed; it is no longer supported by AWS https://github.com/hashicorp/terraform/issues/31730
+
+2. Renamed variables:
+
+    - None
+
+3. Added variables:
+
+    - VPC
+      - `ipv6_cidr_block_network_border_group`
+      - `enable_network_address_usage_metrics`
+    - Subnets
+      - `*_subnet_enable_dns64` for each subnet type
+      - `*_subnet_enable_resource_name_dns_aaaa_record_on_launch` for each subnet type
+      - `*_subnet_enable_resource_name_dns_a_record_on_launch` for each subnet type
+      - `*_subnet_ipv6_native` for each subnet type
+      - `*_subnet_private_dns_hostname_type_on_launch` for each subnet type
+
+4. Removed outputs:
+
+    - None
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - None
+
+### State Changes
+
+None
--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -21,14 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -43,6 +43,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Type |
 |------|------|
 | [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |

--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -21,15 +26,15 @@ module "vpc" {
  source = "../../"

  name = local.name
-  cidr = "10.0.0.0/16"
+  cidr = local.vpc_cidr

-  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets      = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
-  database_subnets    = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
-  elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24", "10.0.33.0/24"]
-  redshift_subnets    = ["10.0.41.0/24", "10.0.42.0/24", "10.0.43.0/24"]
-  intra_subnets       = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]
+  azs                 = local.azs
+  private_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets      = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+  database_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
+  elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)]
+  redshift_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)]
+  intra_subnets       = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)]

  private_subnet_names = ["Private Subnet One", "Private Subnet Two"]
  # public_subnet_names omitted to show default name generation for all three subnets
@@ -39,15 +44,9 @@ module "vpc" {
  intra_subnet_names       = []

  create_database_subnet_group  = false
-
-  manage_default_network_acl = true
-  default_network_acl_tags   = { Name = "${local.name}-default" }
-
-  manage_default_route_table = true
-  default_route_table_tags   = { Name = "${local.name}-default" }
-
-  manage_default_security_group = true
-  default_security_group_tags   = { Name = "${local.name}-default" }
+  manage_default_network_acl    = false
+  manage_default_route_table    = false
+  manage_default_security_group = false

  enable_dns_hostnames = true
  enable_dns_support   = true

--- a/examples/complete-vpc/outputs.tf
+++ b/examples/complete-vpc/outputs.tf
--- a/examples/complete-vpc/variables.tf
+++ b/examples/complete-vpc/variables.tf
--- a/examples/complete-vpc/versions.tf
+++ b/examples/complete-vpc/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/ipam-vpc/README.md
+++ b/examples/ipam-vpc/README.md
@@ -29,14 +29,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -54,6 +54,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | [aws_vpc_ipam_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
 | [aws_vpc_ipam_pool_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |
 | [aws_vpc_ipam_preview_next_cidr.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_preview_next_cidr) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/ipam-vpc/main.tf
+++ b/examples/ipam-vpc/main.tf
@@ -2,11 +2,13 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

-  azs               = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs               = slice(data.aws_availability_zones.available.names, 0, 3)
  preview_partition = cidrsubnets(aws_vpc_ipam_preview_next_cidr.this.cidr, 2, 2, 2)

  tags = {

--- a/examples/ipam-vpc/outputs.tf
+++ b/examples/ipam-vpc/outputs.tf
--- a/examples/ipam-vpc/variables.tf
+++ b/examples/ipam-vpc/variables.tf
--- a/examples/ipam-vpc/versions.tf
+++ b/examples/ipam-vpc/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/ipv6/README.md
+++ b/examples/ipv6/README.md
@@ -19,12 +19,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -34,7 +36,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/ipv6/main.tf
+++ b/examples/ipv6/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -20,13 +25,13 @@ locals {
 module "vpc" {
  source = "../.."

-  name = "ipv6"
-  cidr = "10.0.0.0/16"
+  name = local.name
+  cidr = local.vpc_cidr

-  azs              = ["${local.region}a", "${local.region}b"]
-  private_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
-  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24"]
-  database_subnets = ["10.0.103.0/24", "10.0.104.0/24"]
+  azs              = local.azs
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]

  enable_nat_gateway = false

@@ -34,13 +39,11 @@ module "vpc" {
  create_database_internet_gateway_route = true

  enable_ipv6                                   = true
-  assign_ipv6_address_on_creation = true
-
-  private_subnet_assign_ipv6_address_on_creation = false
+  public_subnet_assign_ipv6_address_on_creation = true

-  public_subnet_ipv6_prefixes   = [0, 1]
-  private_subnet_ipv6_prefixes  = [2, 3]
-  database_subnet_ipv6_prefixes = [4, 5]
+  public_subnet_ipv6_prefixes   = [0, 1, 2]
+  private_subnet_ipv6_prefixes  = [3, 4, 5]
+  database_subnet_ipv6_prefixes = [6, 7, 8]

  tags = local.tags
 }
--- a/examples/ipv6/outputs.tf
+++ b/examples/ipv6/outputs.tf
--- a/examples/ipv6/variables.tf
+++ b/examples/ipv6/variables.tf
--- a/examples/ipv6/versions.tf
+++ b/examples/ipv6/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/ipv6-only/README.md
+++ b/examples/ipv6-only/README.md
--- a/examples/ipv6-only/main.tf
+++ b/examples/ipv6-only/main.tf
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../.."
+
+  name = local.name
+
+  azs         = slice(data.aws_availability_zones.available.names, 0, 3)
+  enable_ipv6 = true
+
+  public_subnet_ipv6_native    = true
+  public_subnet_ipv6_prefixes  = [0, 1, 2]
+  private_subnet_ipv6_native   = true
+  private_subnet_ipv6_prefixes = [3, 4, 5]
+
+  # RDS currently only supports dual-stack so IPv4 CIDRs will need to be provided for subnets
+  # database_subnet_ipv6_native   = true
+  # database_subnet_ipv6_prefixes = [6, 7, 8]
+
+  enable_nat_gateway     = false
+  create_egress_only_igw = true
+
+  tags = local.tags
+}
--- a/examples/simple-vpc/outputs.tf
+++ b/examples/simple-vpc/outputs.tf
--- a/examples/simple-vpc/variables.tf
+++ b/examples/simple-vpc/variables.tf
--- a/examples/simple-vpc/versions.tf
+++ b/examples/simple-vpc/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/issues/README.md
+++ b/examples/issues/README.md
@@ -24,12 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -41,7 +43,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/issues/main.tf
+++ b/examples/issues/main.tf
@@ -2,10 +2,14 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  azs = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -23,7 +27,7 @@ module "vpc_issue_44" {
  name = "asymmetrical"
  cidr = "10.0.0.0/16"

-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs              = local.azs
  private_subnets  = ["10.0.1.0/24"]
  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24"]
  database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
@@ -47,7 +51,7 @@ module "vpc_issue_46" {
  name = "no-private-subnets"
  cidr = "10.0.0.0/16"

-  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs                 = local.azs
  public_subnets      = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
  private_subnets     = []
  database_subnets    = ["10.0.128.0/24", "10.0.129.0/24"]
@@ -73,7 +77,7 @@ module "vpc_issue_108" {
  name = "route-already-exists"
  cidr = "10.0.0.0/16"

-  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs             = local.azs
  private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
  public_subnets  = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]


--- a/examples/issues/versions.tf
+++ b/examples/issues/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/manage-default-vpc/README.md
+++ b/examples/manage-default-vpc/README.md
@@ -21,8 +21,8 @@ Run `terraform destroy` when you don't need these resources.

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers


--- a/examples/manage-default-vpc/main.tf
+++ b/examples/manage-default-vpc/main.tf
@@ -3,7 +3,7 @@ provider "aws" {
 }

 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

  tags = {

--- a/examples/manage-default-vpc/versions.tf
+++ b/examples/manage-default-vpc/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/network-acls/README.md
+++ b/examples/network-acls/README.md
@@ -23,12 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -38,7 +40,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/network-acls/main.tf
+++ b/examples/network-acls/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -170,12 +175,12 @@ module "vpc" {
  source = "../../"

  name = local.name
-  cidr = "10.0.0.0/16"
+  cidr = local.vpc_cidr

-  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets      = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
-  elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
+  azs                 = local.azs
+  private_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets      = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+  elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]

  public_dedicated_network_acl   = true
  public_inbound_acl_rules       = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])

--- a/examples/network-acls/versions.tf
+++ b/examples/network-acls/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/outpost/README.md
+++ b/examples/outpost/README.md
@@ -23,14 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules


--- a/examples/outpost/main.tf
+++ b/examples/outpost/main.tf
@@ -6,10 +6,15 @@ provider "aws" {
  }
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -112,16 +117,6 @@ locals {
  }
 }

-################################################################################
-# Supporting Resources
-################################################################################
-
-data "aws_outposts_outpost" "shared" {
-  name = "SEA19.07"
-}
-
-data "aws_availability_zones" "available" {}
-
 ################################################################################
 # VPC Module
 ################################################################################
@@ -130,15 +125,11 @@ module "vpc" {
  source = "../../"

  name = local.name
-  cidr = "10.0.0.0/16"
+  cidr = local.vpc_cidr

-  azs = [
-    data.aws_availability_zones.available.names[0],
-    data.aws_availability_zones.available.names[1],
-    data.aws_availability_zones.available.names[2],
-  ]
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  # Outpost is using single AZ specified in `outpost_az`
  outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"]
@@ -161,3 +152,11 @@ module "vpc" {

  tags = local.tags
 }
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+data "aws_outposts_outpost" "shared" {
+  name = "SEA19.07"
+}
--- a/examples/outpost/versions.tf
+++ b/examples/outpost/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/secondary-cidr-blocks/README.md
+++ b/examples/secondary-cidr-blocks/README.md
@@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -36,7 +38,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/secondary-cidr-blocks/main.tf
+++ b/examples/secondary-cidr-blocks/main.tf
@@ -2,10 +2,16 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr              = "10.0.0.0/16"
+  secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
+  azs                   = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -21,26 +27,19 @@ module "vpc" {
  source = "../../"

  name = local.name
+  cidr = local.vpc_cidr

-  cidr                  = "10.0.0.0/16"
-  secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
-
-  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"]
+  secondary_cidr_blocks = local.secondary_cidr_blocks # can add up to 5 total CIDR blocks

-  enable_ipv6 = true
+  azs = local.azs
+  private_subnets = concat(
+    [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)],
+    [for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 0), 2, k)],
+    [for k, v in local.azs : cidrsubnet(element(local.secondary_cidr_blocks, 1), 2, k)],
+  )
+  public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]

-  enable_nat_gateway = true
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    Name = "overridden-name-public"
-  }
+  enable_nat_gateway = false

  tags = local.tags
-
-  vpc_tags = {
-    Name = "vpc-name"
-  }
 }
--- a/examples/secondary-cidr-blocks/versions.tf
+++ b/examples/secondary-cidr-blocks/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }
--- a/examples/vpc-separate-private-route-tables/README.md
+++ b/examples/vpc-separate-private-route-tables/README.md
@@ -21,12 +21,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -36,7 +38,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/vpc-separate-private-route-tables/main.tf
+++ b/examples/vpc-separate-private-route-tables/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -21,15 +26,15 @@ module "vpc" {
  source = "../../"

  name = local.name
-
-  cidr = "10.10.0.0/16"
-
-  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  private_subnets     = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
-  public_subnets      = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
-  database_subnets    = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
-  elasticache_subnets = ["10.10.31.0/24", "10.10.32.0/24", "10.10.33.0/24"]
-  redshift_subnets    = ["10.10.41.0/24", "10.10.42.0/24", "10.10.43.0/24"]
+  cidr = local.vpc_cidr
+
+  azs                 = local.azs
+  private_subnets     = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets      = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+  database_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
+  elasticache_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 12)]
+  redshift_subnets    = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 16)]
+  intra_subnets       = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 20)]

  create_database_subnet_route_table    = true
  create_elasticache_subnet_route_table = true

--- a/examples/vpc-separate-private-route-tables/outputs.tf
+++ b/examples/vpc-separate-private-route-tables/outputs.tf
--- a/examples/vpc-separate-private-route-tables/variables.tf
+++ b/examples/vpc-separate-private-route-tables/variables.tf
--- a/examples/separate-route-tables/versions.tf
+++ b/examples/separate-route-tables/versions.tf
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.35"
+    }
+  }
+}
--- a/examples/simple-vpc/README.md
+++ b/examples/simple-vpc/README.md
@@ -25,12 +25,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules

@@ -40,7 +42,9 @@ No providers.

 ## Resources

-No resources.
+| Name | Type |
+|------|------|
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs


--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -21,30 +26,13 @@ module "vpc" {
  source = "../../"

  name = local.name
-  cidr = "10.0.0.0/16"
-
-  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  cidr = local.vpc_cidr

-  enable_ipv6 = true
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  enable_nat_gateway = false
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    Name = "overridden-name-public"
-  }
-
-  public_subnet_tags_per_az = {
-    "${local.region}a" = {
-      "availability-zone" = "${local.region}a"
-    }
-  }

  tags = local.tags
-
-  vpc_tags = {
-    Name = "vpc-name"
-  }
 }
--- a/examples/simple/outputs.tf
+++ b/examples/simple/outputs.tf
--- a/examples/simple/variables.tf
+++ b/examples/simple/variables.tf
--- a/examples/simple/versions.tf
+++ b/examples/simple/versions.tf
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.35"
+    }
+  }
+}
--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -23,15 +23,15 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.75 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.75 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules
@@ -53,6 +53,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.flow_log_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

--- a/examples/vpc-flow-logs/main.tf
+++ b/examples/vpc-flow-logs/main.tf
@@ -2,10 +2,15 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
  region = "eu-west-1"

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
    Example    = local.name
    GithubRepo = "terraform-aws-vpc"
@@ -13,7 +18,6 @@ locals {
  }

  s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}"
-  cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
 }

 ################################################################################
@@ -24,10 +28,11 @@ module "vpc_with_flow_logs_s3_bucket" {
  source = "../../"

  name = local.name
-  cidr = "10.30.0.0/16"
+  cidr = local.vpc_cidr

-  azs            = ["${local.region}a"]
-  public_subnets = ["10.30.101.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  enable_flow_log           = true
  flow_log_destination_type = "s3"
@@ -40,10 +45,11 @@ module "vpc_with_flow_logs_s3_bucket_parquet" {
  source = "../../"

  name = "${local.name}-parquet"
-  cidr = "10.30.0.0/16"
+  cidr = local.vpc_cidr

-  azs            = ["${local.region}a"]
-  public_subnets = ["10.30.101.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  enable_flow_log           = true
  flow_log_destination_type = "s3"
@@ -58,10 +64,11 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" {
  source = "../../"

  name = "${local.name}-cloudwatch-logs-default"
-  cidr = "10.10.0.0/16"
+  cidr = local.vpc_cidr

-  azs            = ["${local.region}a"]
-  public_subnets = ["10.10.101.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  # Cloudwatch log group and IAM role will be created
  enable_flow_log                      = true
@@ -80,10 +87,11 @@ module "vpc_with_flow_logs_cloudwatch_logs" {
  source = "../../"

  name = "${local.name}-cloudwatch-logs"
-  cidr = "10.20.0.0/16"
+  cidr = local.vpc_cidr

-  azs            = ["${local.region}a"]
-  public_subnets = ["10.20.101.0/24"]
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]

  enable_flow_log                  = true
  flow_log_destination_type        = "cloud-watch-logs"
@@ -143,7 +151,7 @@ data "aws_iam_policy_document" "flow_log_s3" {

 # Cloudwatch logs
 resource "aws_cloudwatch_log_group" "flow_log" {
-  name = local.cloudwatch_log_group_name
+  name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
 }

 resource "aws_iam_role" "vpc_flow_log_cloudwatch" {

--- a/examples/vpc-flow-logs/versions.tf
+++ b/examples/vpc-flow-logs/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.75"
+      version = ">= 4.35"
    }

    random = {

--- a/examples/vpc-separate-private-route-tables/versions.tf
+++ b/examples/vpc-separate-private-route-tables/versions.tf
-terraform {
-  required_version = ">= 0.13.1"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.73"
-    }
-  }
-}
--- a/main.tf
+++ b/main.tf
--- a/modules/vpc-endpoints/README.md
+++ b/modules/vpc-endpoints/README.md
@@ -55,14 +55,14 @@ module "endpoints" {

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.28 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.35 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.28 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.35 |

 ## Modules


--- a/modules/vpc-endpoints/versions.tf
+++ b/modules/vpc-endpoints/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.28"
+      version = ">= 4.35"
    }
  }
 }
--- a/outputs.tf
+++ b/outputs.tf
--- a/variables.tf
+++ b/variables.tf
--- a/versions.tf
+++ b/versions.tf
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.73"
+      version = ">= 4.35"
    }
  }
 }