Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

cmdlabs/cmd-tf-aws-vpc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

90 Commits
example
example
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
data.tf
data.tf
 
 
dhcp.tf
dhcp.tf
 
 
docker-compose.yml
docker-compose.yml
 
 
envvars.yml
envvars.yml
 
 
locals.tf
locals.tf
 
 
nacls-private.tf
nacls-private.tf
 
 
nacls-public.tf
nacls-public.tf
 
 
nacls-secure.tf
nacls-secure.tf
 
 
outputs.tf
outputs.tf
 
 
routes-private.tf
routes-private.tf
 
 
routes-public.tf
routes-public.tf
 
 
routes-secure.tf
routes-secure.tf
 
 
subnets.tf
subnets.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 
vpc-endpoints.tf
vpc-endpoints.tf
 
 
vpc.tf
vpc.tf
 
 

Repository files navigation

terraform-aws-vpc

Summary

This module deploys a 3-tier VPC. The following resources are managed:

  • VPC
  • Subnets
  • Routes
  • NACLs
  • Internet Gateway
  • NAT Gateways
  • Virtual Private Gateway
  • DHCP Option Sets
  • VPC Endpoints
  • RDS/EC/Redshift Subnet Groups

Tags on VPCs/Subnets are currently set to ignore changes. This is to support EKS clusters.

Terraform >= 0.12 is required for this module.

CIDR Calculations

CIDR ranges are automatically calculated using Terraform's cidrsubnet() function. The default configuration results in equal-sized tiers that are -/2 smaller than the VPC. (A /16 VPC becomes a /18 tier.) Subnets are calculated with tierCIDR-/2. (A /18 tier becomes /20 subnets.) The number of subnets is determined by the number of availability_zones specified.

In the event that you do not want this topology, you can configure the x_tier_newbits and x_subnet_newbits options found in the inputs.

Custom NACLs

NACLs in addition to the ones with input options can be added using the nacl_x_custom maps. The object schema is:

object(
    key = object({
        rule_number = number,
        egress = bool,
        protocol = number,
        rule_action = string,
        cidr_block = string,
        from_port = string,
        to_port = string
    })
    key = ...
)

Requirements

The following requirements are needed by this module:

  • terraform ( >= 0.12.26)

  • aws (>= 2.8.1)

Required Inputs

The following input variables are required:

availability_zones

Description: List of availability zones

Type: list(string)

vpc_cidr_block

Description: The CIDR block of the VPC

Type: string

vpc_name

Description: Name that will be prefixed to resources

Type: string

Optional Inputs

The following input variables are optional (have default values):

custom_dhcp_options

Description: Custom DHCP options

Type:

object({
    domain_name          = string,
    domain_name_servers  = list(string),
    ntp_servers          = list(string),
    netbios_name_servers = list(string),
    netbios_node_type    = number
  })

Default:

{
  "domain_name": null,
  "domain_name_servers": null,
  "netbios_name_servers": null,
  "netbios_node_type": null,
  "ntp_servers": null
}

enable_custom_dhcp_options

Description: Enable custom DHCP options, you must specify custom_dhcp_options

Type: bool

Default: false

enable_db_subnet_group

Description: Create the secure DB VPC subnet group

Type: bool

Default: true

enable_elasticache_subnet_group

Description: Create the secure Elasticache VPC subnet group

Type: bool

Default: true

enable_internet_gateway

Description: Attach an internet gateway to the VPC

Type: bool

Default: true

enable_nat_gateway

Description: Create nat gateways in the VPC,

Type: bool

Default: true

enable_per_az_nat_gateway

Description: Create 1 nat gateway per AZ

Type: bool

Default: true

enable_redshift_subnet_group

Description: Create the secure Redshift VPC subnet group

Type: bool

Default: true

enable_virtual_private_gateway

Description: Attach a virtual private gateway to the VPC

Type: bool

Default: false

nacl_allow_all_ephemeral

Description: Add a rule to all NACLs allowing all ephemeral ports

Type: bool

Default: true

nacl_allow_all_http

Description: Add a rule to all NACLs allowing http egress

Type: bool

Default: true

nacl_allow_all_https

Description: Add a rule to all NACLs allowing https egress

Type: bool

Default: true

nacl_allow_all_vpc_traffic

Description: Add a rule to all NACLs allowing all traffic to/from the vpc cidr

Type: bool

Default: true

nacl_block_public_to_secure

Description: Block all traffic between public and secure tiers

Type: bool

Default: false

nacl_private_custom

Description: List of custom nacls to apply to the private tier

Type: map

Default: {}

nacl_public_custom

Description: List of custom nacls to apply to the public tier

Type: map

Default: {}

nacl_secure_custom

Description: List of custom nacls to apply to the secure tier

Type: map

Default: {}

private_subnet_newbits

Description: newbits value for calculating the private subnet size

Type: number

Default: 2

private_tier_netnum

Description: netnum value for calculating the private tier cidr

Type: number

Default: 1

private_tier_newbits

Description: newbits value for calculating the private tier size

Type: number

Default: 2

public_subnet_newbits

Description: newbits value for calculating the public subnet size

Type: number

Default: 2

public_tier_netnum

Description: netnum value for calculating the public tier cidr

Type: number

Default: 0

public_tier_newbits

Description: newbits value for calculating the public tier size

Type: number

Default: 2

secure_subnet_newbits

Description: newbits value for calculating the secure subnet size

Type: number

Default: 2

secure_tier_netnum

Description: netnum value for calculating the secure tier cidr

Type: number

Default: 2

secure_tier_newbits

Description: newbits value for calculating the secure tier size

Type: number

Default: 2

tags

Description: Tags applied to all resources

Type: map(string)

Default: {}

virtual_private_gateway_asn

Description: ASN for the Amazon side of the VPG

Type: number

Default: 64512

vpc_enable_dns_hostnames

Description: Enable VPC DNS hostname resolution

Type: bool

Default: true

vpc_enable_dns_support

Description: Enable VPC DNS resolver

Type: bool

Default: true

vpc_endpoints

Description: List of VPC Interface endpoints

Type: list(string)

Default: []

vpc_gatewayendpoints

Description: List of VPC Gateway endpoints

Type: list(string)

Default: []

Outputs

The following outputs are exported:

db_subnet_group

Description: Name of db subnet group

elasticache_subnet_group

Description: Name of elasticache subnet group

private_tier_route_table_ids

Description: List of route table ids for the private tier

private_tier_subnet_cidr

Description: Private tier CIDR range

private_tier_subnet_ids

Description: List of subnet ids for the private tier

public_tier_route_table_ids

Description: List of route table ids for the public tier

public_tier_subnet_cidr

Description: Public tier CIDR range

public_tier_subnet_ids

Description: List of subnet ids for the public tier

redshift_subnet_group

Description: Name of redshift subnet group

secure_tier_route_table_ids

Description: List of route table ids for the secure tier

secure_tier_subnet_cidr

Description: Secure tier CIDR range

secure_tier_subnet_ids

Description: List of subnet ids for the secure tier

vpc_id

Description: VPC ID

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases

10 tags

Packages

No packages published

Contributors 5

Languages