This module deploys AWS VPC along with subnets, route tables and necessary Network ACLs.
This module is design with security first in mind and part of SUDO's DevOps Accelerators.
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 3.67 |
| random | >= 3.1 |
| Name | Version |
|---|---|
| aws | >= 3.67 |
| random | >= 3.1 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| amazon_side_asn | (optional) Provide ASN for the gateway. Default: 64512 | string |
"64512" |
no |
| assign_ipv6_address_on_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
false |
no |
| azs | A list of availability zones names or ids in the region | list(string) |
[] |
no |
| cidr | (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length & ipv4_ipam_pool_id |
string |
"0.0.0.0/0" |
no |
| create_database_internet_gateway_route | Controls if an internet gateway route for public database access should be created | bool |
false |
no |
| create_database_nat_gateway_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool |
false |
no |
| create_database_subnet_group | Controls if database subnet group should be created (n.b. database_subnets must also be set) | bool |
true |
no |
| create_database_subnet_route_table | Controls if separate route table for database should be created | bool |
false |
no |
| create_egress_only_igw | Controls if an Egress Only Internet Gateway is created and its related routes. | bool |
true |
no |
| create_flow_log_cloudwatch_iam_role | (optional) Create Flow Log CloudWatch IAM Role. Default: true | bool |
true |
no |
| create_flow_log_cloudwatch_log_group | (optional) Create Flow Log CloudWatch Log Group. Default: true | bool |
true |
no |
| create_igw | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | bool |
true |
no |
| create_vpc | Controls if VPC should be created (it affects almost all resources) | bool |
true |
no |
| customer_gateway_tags | (optional) Customer Gateway additional tags | map(string) |
{} |
no |
| customer_gateways | (optional) Maps of Customer Gateways | map(map(any)) |
{} |
no |
| database_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool |
false |
no |
| database_route_table_tags | Additional tags for the database route tables | map(string) |
{} |
no |
| database_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| database_subnet_group_name | Name to be used on the database subnet group | string |
null |
no |
| database_subnet_group_tags | Additional tags for the database subnet group | map(string) |
{} |
no |
| database_subnet_ipv6_prefixes | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| database_subnet_names | Explicit values to use in the Name tag on database subnets. If empty, Name tags are generated. | list(string) |
[] |
no |
| database_subnet_suffix | Suffix to append to database subnets name | string |
"database" |
no |
| database_subnet_tags | Additional tags for the database subnets | map(string) |
{} |
no |
| database_subnets | A list of database subnets inside the VPC | list(string) |
[] |
no |
| default_security_group_egress | List of maps of egress rules to set on the default security group | list(map(string)) |
[] |
no |
| default_security_group_ingress | List of maps of ingress rules to set on the default security group | list(map(string)) |
[] |
no |
| default_security_group_name | Name to be used on the default security group | string |
null |
no |
| default_security_group_tags | Additional tags for the default security group | map(string) |
{} |
no |
| default_vpc_enable_classiclink | Backward compatibility only, not used. | bool |
false |
no |
| default_vpc_enable_dns_hostnames | (optional) Set to true to enable Default VPC DNS Hostname. Default: true | bool |
false |
no |
| default_vpc_enable_dns_support | (optional) Set to true to enable Default VPC DNS Support. Default: true | bool |
true |
no |
| default_vpc_name | (optional) Default VPC Name. Default: null | string |
null |
no |
| default_vpc_tags | (optional) Default VPC tags. Default: {} | map(string) |
{} |
no |
| enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | bool |
true |
no |
| enable_dns_support | Should be true to enable DNS support in the VPC | bool |
true |
no |
| enable_flow_log | (optional) Enable Flow lgos. Default: true | bool |
true |
no |
| enable_ipv6 | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | bool |
false |
no |
| enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool |
false |
no |
| enable_vpn_gateway | (optional) Set it to true if you want to create new vpn gateway. Default: false | bool |
false |
no |
| external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) |
[] |
no |
| flow_log_cloudwatch_iam_role_arn | (optional) The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | string |
"" |
no |
| flow_log_cloudwatch_log_group_kms_key_id | (optional) The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | string |
null |
no |
| flow_log_cloudwatch_log_group_name_prefix | (optional) Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | string |
"/aws/vpc-flow-log/" |
no |
| flow_log_cloudwatch_log_group_name_suffix | (optional) Specifies the name suffix of CloudWatch Log Group for VPC flow logs. | string |
"" |
no |
| flow_log_cloudwatch_log_group_retention_in_days | (optional) Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | number |
null |
no |
| flow_log_destination_arn | (optional) The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided. | string |
"" |
no |
| flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs. Default: cloud-watch-logs | string |
"cloud-watch-logs" |
no |
| flow_log_log_format | The fields to include in the flow log record, in the order in which they should appear. | string |
null |
no |
| flow_log_max_aggregation_interval | (optional) The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. |
number |
600 |
no |
| flow_log_traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. Default: REJECT | string |
"REJECT" |
no |
| igw_tags | Additional tags for the internet gateway | map(string) |
{} |
no |
| instance_tenancy | A tenancy option for instances launched into the VPC | string |
"default" |
no |
| ipv4_ipam_pool_id | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | string |
null |
no |
| ipv4_netmask_length | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id. | number |
null |
no |
| ipv6_cidr | (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using ipv6_netmask_length. |
string |
null |
no |
| ipv6_ipam_pool_id | (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with assign_generated_ipv6_cidr_block. |
string |
null |
no |
| ipv6_netmask_length | (Optional) Netmask length to request from IPAM Pool. Conflicts with ipv6_cidr_block. This can be omitted if IPAM pool as a allocation_default_netmask_length set. Valid values: 56. |
number |
null |
no |
| manage_default_network_acl | (optional) Default network ACL management. Default: false | bool |
false |
no |
| manage_default_security_group | Should be true to adopt and manage default security group | bool |
true |
no |
| manage_default_vpc | (optional) Manage Default VPC. Default: false | bool |
false |
no |
| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool |
true |
no |
| name | Name to be used on all the resources as identifier | string |
"sudo-vpc" |
no |
| nat_eip_tags | Additional tags for the NAT EIP | map(string) |
{} |
no |
| nat_gateway_destination_cidr_block | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route. | string |
"0.0.0.0/0" |
no |
| nat_gateway_tags | Additional tags for the NAT gateways | map(string) |
{} |
no |
| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs. |
bool |
false |
no |
| private_route_table_tags | Additional tags for the private route tables | map(string) |
{} |
no |
| private_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| private_subnet_ipv6_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| private_subnet_names | Explicit values to use in the Name tag on private subnets. If empty, Name tags are generated. | list(string) |
[] |
no |
| private_subnet_suffix | Suffix to append to private subnets name | string |
"private" |
no |
| private_subnet_tags | Additional tags for the private subnets | map(string) |
{} |
no |
| private_subnets | A list of private subnets inside the VPC | list(string) |
[] |
no |
| propagate_intra_route_tables_vgw | (optional) Set to true to enable route table propogation. Default: false | bool |
false |
no |
| propagate_private_route_tables_vgw | (optional) Set to true to enable route table propogation. Default: false | bool |
false |
no |
| propagate_public_route_tables_vgw | (optional) Set to true to enable route table propogation. Default: false | bool |
false |
no |
| public_route_table_tags | Additional tags for the public route tables | map(string) |
{} |
no |
| public_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| public_subnet_ipv6_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| public_subnet_names | Explicit values to use in the Name tag on public subnets. If empty, Name tags are generated. | list(string) |
[] |
no |
| public_subnet_suffix | Suffix to append to public subnets name | string |
"public" |
no |
| public_subnet_tags | Additional tags for the public subnets | map(string) |
{} |
no |
| public_subnets | A list of public subnets inside the VPC | list(string) |
[] |
no |
| reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool |
false |
no |
| secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) |
[] |
no |
| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool |
true |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| use_ipam_pool | Determines whether IPAM pool is used for CIDR allocation | bool |
false |
no |
| vpc_flow_log_permissions_boundary | {90tional) The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | string |
null |
no |
| vpc_flow_log_tags | (optional) Additional tags for the VPC Flow Logs | map(string) |
{} |
no |
| vpc_tags | Additional tags for the VPC | map(string) |
{} |
no |
| vpn_gateway_az | VPN Gateway Availability Zone | string |
null |
no |
| vpn_gateway_id | (optional) Provide the ID of existing VPN gateway to attach to VPC | string |
"" |
no |
| vpn_gateway_tags | (optional) Additional tags for the VPN gateway | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cgw_arns | Customer Gateway ARNs list |
| cgw_ids | Customer Gateway ID List |
| database_subnet_group | ID of database subnet group |
| database_subnet_group_name | Name of database subnet group |
| default_network_acl_id | Default Network ACL ID |
| default_route_table_id | Default Route Table ID |
| default_security_group_id | Default Security Group ID |
| default_vpc_arn | Default VPC ARN |
| default_vpc_cidr_block | Default VPC CIDR Block |
| default_vpc_default_network_acl_id | Default NACL ID of the Default VPC |
| default_vpc_default_route_table_id | Default route table ID of the default VPC |
| default_vpc_default_security_group_id | Seucrity Group ID for default security group of default VPC |
| default_vpc_id | Default VPC ID |
| private_route_table_ids | Private route tables IDs |
| private_subnet_arns | Private Subnet ARN List |
| private_subnets | Private Subnet ID List |
| private_subnets_cidr_blocks | Private Subnets CIDR Block list |
| private_subnets_ipv6_cidr_blocks | Private Subnet IPv6 cidr blocks |
| public_route_table_ids | public route tables IDs |
| public_subnet_arns | Public Subnet ARN List |
| public_subnets | Public Subnet ID List |
| public_subnets_cidr_blocks | Public Subnet CIDR Block list |
| public_subnets_ipv6_cidr_blocks | Public Subnet IPv6 CIDR block list |
| this_customer_gateway | Customer Gateway attributes map |
| vgw_arn | VPN Gateway ARN |
| vgw_id | VPN Gateway ID |
| vpc_arn | VPC ARN |
| vpc_cidr_block | VPC CIDR Block |
| vpc_id | VPC ID |
This module takes a lot of a code from https://github.com/terraform-aws-modules/terraform-aws-vpc which is built by Anton Babenko and if you want to consider sponsoring please sponsor him.