This module creates the basic network resources for a region.
The following resources will be created:
- Virtual Private Cloud (VPC)
- Enable DNS Hostname - A DNS hostname is a name that uniquely and absolutely names a computer; it's composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
- VPC Flow Logs
- AWS Cloudwatch log groups
- Subnets
- Public
- Private
- Secure
- Transit
- Internet Gateway
- Route tables for the Public, Private, Secure and Transit subnets
- Associate all Route Tables created to the correct subnet
- Nat Gateway
- Network Access Control List (NACL) for all subnets
- Database Subnet group - Provides an RDS DB subnet group resources
- S3 VPC endpoint
module "network" {
source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=0.0.3"
vpc_cidr = "10.1.0.0/16"
newbits = 8 # will create /24 subnets
name = "MyVPC"
multi_nat = false
}| Name | Version |
|---|---|
| terraform | >= 1.3.0 |
| terraform | >= 0.14.0 |
| Name | Version |
|---|---|
| aws | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attachInternetGateway | To attach or not the internet gateway within the public subnet. | boolean |
true |
no |
| byoip | Enable module to use your own Elastic IPs (Bring Your Own IP) | bool |
false |
no |
| cf_export_name | Name prefix for the export resources of the cloud formation output | string |
"" |
no |
| eip_allocation_ids | User-specified primary or secondary private IP address to associate with the Elastic IP address | list(string) |
[] |
no |
| enable_firewall_default_rule | Enable or disable the default stateful rule. | bool |
true |
no |
| firewall_custom_rule_arn | The stateful rule group arn created outside the module | list(string) |
[] |
no |
| firewall_custom_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | list(string) |
[] |
no |
| firewall_domain_list | List the domain names you want to take action on. | list(any) |
[ |
no |
| firewall_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
14 |
no |
| kms_key_arn | The ARN of the KMS Key to use when encrypting log data. | string |
"" |
no |
| kubernetes_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | list(string) |
[] |
no |
| kubernetes_clusters_secure | List of kubernetes cluster names to creates tags in secure subnets of this VPC | list(string) |
[] |
no |
| kubernetes_clusters_type | Use either 'owned' or 'shared' for kubernetes cluster tags | string |
"shared" |
no |
| max_az | Max number of AZs | number |
3 |
no |
| multi_nat | Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT | bool |
false |
no |
| name | Name prefix for the resources of this stack | any |
n/a | yes |
| name_pattern | Name pattern to use for resources. Options: default, kebab | string |
"default" |
no |
| name_suffix | Adds a name suffix to all resources created | string |
"" |
no |
| nat | Deploy NAT instance(s) | bool |
true |
no |
| network_firewall | Enable or disable VPC Network Firewall | bool |
false |
no |
| newbits | Number of bits to add to the vpc cidr when building subnets | number |
5 |
no |
| private_netnum_offset | Start with this subnet for private ones, plus number of AZs | number |
5 |
no |
| public_nacl_icmp | Allows ICMP traffic to and from the public subnet | bool |
true |
no |
| public_nacl_inbound_tcp_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
| public_nacl_inbound_udp_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | list(string) |
[] |
no |
| public_nacl_outbound_tcp_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | list(string) |
[ |
no |
| public_nacl_outbound_udp_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | list(string) |
[ |
no |
| public_netnum_offset | Start with this subnet for public ones, plus number of AZs | number |
0 |
no |
| secure_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
10 |
no |
| tags | Extra tags to attach to resources | map(string) |
{} |
no |
| transit_nacl_inbound_tcp_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
| transit_nacl_inbound_udp_ports | UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
| transit_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
15 |
no |
| transit_subnet | Create a transit subnet for VPC peering (only central account) | bool |
false |
no |
| vpc_cidr | Network CIDR for the VPC | any |
n/a | yes |
| vpc_cidr_summ | Define cidr used to summarize subnets by tier | string |
"/0" |
no |
| vpc_cidr_transit | Network CIDR for Transit subnets | string |
"10.255.255.0/24" |
no |
| vpc_endpoint_dynamodb_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | bool |
true |
no |
| vpc_endpoint_dynamodb_policy | A policy to attach to the endpoint that controls access to the service | string |
`" { |
\"Statement\": [
{
\"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
}
]
}
"| no | | vpc\_endpoint\_s3\_gateway | Enable or disable VPC Endpoint for S3 Gateway |bool|true| no | | vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service |string|" {
"Statement": [
{
"Action": "","Effect": "Allow","Resource": "","Principal": "*"
}
]
}
"| no | | vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br> {<br> name = string<br> policy = optional(string)<br> allowed_cidrs = optional(list(string))<br> }<br> ))</pre> |[]| no | | vpc\_flow\_logs | Enable or disable VPC Flow Logs |bool|true| no | | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group |number|365` | no |
| Name | Description |
|---|---|
| cidr_block | CIDR for VPC created |
| db_subnet_group_id | n/a |
| firewall_subnet_cidrs | List of firewall subnet CIDRs |
| firewall_subnet_ids | List of firewall subnet IDs |
| internet_gateway_id | ID of Internet Gateway created |
| nat_gateway | n/a |
| nat_gateway_ids | List of NAT Gateway IDs |
| private_nacl_id | n/a |
| private_nacls | n/a |
| private_route_table_id | n/a |
| private_subnet_cidrs | List of private subnet CIDRs |
| private_subnet_ids | List of private subnet IDs |
| private_subnets | n/a |
| public_nacl_id | n/a |
| public_nacls | n/a |
| public_route_table_id | n/a |
| public_subnet_cidrs | List of public subnet CIDRs |
| public_subnet_ids | List of public subnet IDs |
| public_subnets | n/a |
| secure_db_subnet | n/a |
| secure_nacl_id | n/a |
| secure_nacls | n/a |
| secure_route_table_id | n/a |
| secure_subnet_cidrs | List of secure subnet CIDRs |
| secure_subnet_ids | List of secure subnet IDs |
| secure_subnets | n/a |
| transit_nacl_id | n/a |
| transit_route_table_id | n/a |
| transit_subnets | n/a |
| vpc_id | ID for VPC created |
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.