Skip to content

DNXLabs/terraform-aws-network

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

terraform-aws-network

Lint Status LICENSE

This module creates the basic network resources for a region.

The following resources will be created:

  • Virtual Private Cloud (VPC)
    • Enable DNS Hostname - A DNS hostname is a name that uniquely and absolutely names a computer; it's composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
  • VPC Flow Logs
  • AWS Cloudwatch log groups
  • Subnets
    • Public
    • Private
    • Secure
    • Transit
  • Internet Gateway
  • Route tables for the Public, Private, Secure and Transit subnets
  • Associate all Route Tables created to the correct subnet
  • Nat Gateway
  • Network Access Control List (NACL) for all subnets
  • Database Subnet group - Provides an RDS DB subnet group resources
  • S3 VPC endpoint

Usage

module "network" {
  source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=2.0.0"

  vpc_cidr              = "10.1.0.0/16"
  newbits               = 8             # will create /24 subnets
  name                  = "MyVPC"
  multi_nat             = false
}

Requirements

Name Version
terraform >= 1.5.1
terraform >= 1.5.1

Providers

Name Version
aws n/a

Inputs

Name Description Type Default Required
attachInternetGateway To attach or not the internet gateway within the public subnet. bool true no
byoip Enable module to use your own Elastic IPs (Bring Your Own IP) bool false no
cf_export_name Name prefix for the export resources of the cloud formation output string "" no
create_dbsubgroup_private Create Private Subgroup bool false no
create_dbsubgroup_public Create Public Subgroup bool false no
create_dbsubgroup_secure Create Secure Subgroup bool true no
eip_allocation_ids User-specified primary or secondary private IP address to associate with the Elastic IP address list(string) [] no
enable_firewall_default_rule Enable or disable the default stateful rule. bool true no
firewall_custom_rule_arn The stateful rule group arn created outside the module list(string) [] no
firewall_custom_rules The stateful rule group rules specifications in Suricata file format, with one rule per line list(string) [] no
firewall_domain_list List the domain names you want to take action on. list(any)
[
".amazonaws.com",
".github.com"
]
no
firewall_netnum_offset Start with this subnet for secure ones, plus number of AZs number 14 no
kms_key_arn The ARN of the KMS Key to use when encrypting log data. string "" no
kubernetes_clusters List of kubernetes cluster names to creates tags in public and private subnets of this VPC list(string) [] no
kubernetes_clusters_secure List of kubernetes cluster names to creates tags in secure subnets of this VPC list(string) [] no
kubernetes_clusters_type Use either 'owned' or 'shared' for kubernetes cluster tags string "shared" no
max_az Max number of AZs number 3 no
multi_nat Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT bool false no
name Name prefix for the resources of this stack string n/a yes
name_pattern Name pattern to use for resources. Options: default, kebab string "default" no
name_suffix Adds a name suffix to all resources created string "" no
nat Deploy NAT instance(s) bool true no
network_firewall Enable or disable VPC Network Firewall bool false no
newbits Number of bits to add to the vpc cidr when building subnets number 5 no
private_netnum_offset Start with this subnet for private ones, plus number of AZs number 5 no
public_nacl_icmp Allows ICMP traffic to and from the public subnet bool true no
public_nacl_inbound_tcp_ports TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) list(string)
[
"80",
"443",
"22",
"1194"
]
no
public_nacl_inbound_udp_ports UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) list(string) [] no
public_nacl_outbound_tcp_ports TCP Ports to allow outbound to external services (use [0] to allow all ports) list(string)
[
"0"
]
no
public_nacl_outbound_udp_ports UDP Ports to allow outbound to external services (use [0] to allow all ports) list(string)
[
"0"
]
no
public_netnum_offset Start with this subnet for public ones, plus number of AZs number 0 no
secure_netnum_offset Start with this subnet for secure ones, plus number of AZs number 10 no
tags Extra tags to attach to resources map(string) {} no
transit_nacl_inbound_tcp_ports TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) list(string)
[
"1194"
]
no
transit_nacl_inbound_udp_ports UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) list(string)
[
"1194"
]
no
transit_netnum_offset Start with this subnet for secure ones, plus number of AZs number 15 no
transit_subnet Create a transit subnet for VPC peering (only central account) bool false no
vpc_cidr Network CIDR for the VPC string n/a yes
vpc_cidr_summ Define cidr used to summarize subnets by tier string "/0" no
vpc_endpoint_dynamodb_gateway Enable or disable VPC Endpoint for DynamoDB (Gateway) bool true no
vpc_endpoint_s3_gateway Enable or disable VPC Endpoint for S3 Gateway bool true no
vpc_endpoint_s3_policy A policy to attach to the endpoint that controls access to the service string `" {
    \"Statement\": [
        {
            \"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
        }
    ]
}

"| no | | vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br> {<br> name = string<br> policy = optional(string)<br> allowed_cidrs = optional(list(string))<br> }<br> ))</pre> |[]| no | | vpc\_flow\_logs | Enable or disable VPC Flow Logs |bool|true| no | | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group |number|365` | no |

Outputs

Name Description
cidr_block CIDR for VPC created
db_subnet_group_private_id n/a
db_subnet_group_public_id n/a
db_subnet_group_secure_id n/a
firewall_subnet_cidrs List of firewall subnet CIDRs
firewall_subnet_ids List of firewall subnet IDs
internet_gateway_id ID of Internet Gateway created
nat_gateway n/a
nat_gateway_ids List of NAT Gateway IDs
private_nacl_id n/a
private_nacls n/a
private_route_table_id n/a
private_subnet_cidrs List of private subnet CIDRs
private_subnet_ids List of private subnet IDs
private_subnets n/a
public_nacl_id n/a
public_nacls n/a
public_route_table_id n/a
public_subnet_cidrs List of public subnet CIDRs
public_subnet_ids List of public subnet IDs
public_subnets n/a
secure_db_subnet n/a
secure_nacl_id n/a
secure_nacls n/a
secure_route_table_id n/a
secure_subnet_cidrs List of secure subnet CIDRs
secure_subnet_ids List of secure subnet IDs
secure_subnets n/a
transit_nacl_id n/a
transit_route_table_id n/a
transit_subnets n/a
vpc_id ID for VPC created

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.