This module creates the basic network resources for a region.
The following resources will be created:
- Virtual Private Cloud (VPC)
- Enable DNS Hostname - A DNS hostname is a name that uniquely and absolutely names a computer; it's composed of a host name and a domain name. DNS servers resolve DNS hostnames to their corresponding IP addresses.
- VPC Flow Logs
- AWS Cloudwatch log groups
- Subnets
- Public
- Private
- Secure
- Transit
- Internet Gateway
- Route tables for the Public, Private, Secure and Transit subnets
- Associate all Route Tables created to the correct subnet
- Nat Gateway
- Network Access Control List (NACL) for all subnets
- Database Subnet group - Provides an RDS DB subnet group resources
- S3 VPC endpoint
module "network" {
source = "git::https://github.com/DNXLabs/terraform-aws-network.git?ref=2.0.0"
vpc_cidr = "10.1.0.0/16"
newbits = 8 # will create /24 subnets
name = "MyVPC"
multi_nat = false
}
Name | Version |
---|---|
terraform | >= 1.5.1 |
terraform | >= 1.5.1 |
Name | Version |
---|---|
aws | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
attachInternetGateway | To attach or not the internet gateway within the public subnet. | bool |
true |
no |
byoip | Enable module to use your own Elastic IPs (Bring Your Own IP) | bool |
false |
no |
cf_export_name | Name prefix for the export resources of the cloud formation output | string |
"" |
no |
create_dbsubgroup_private | Create Private Subgroup | bool |
false |
no |
create_dbsubgroup_public | Create Public Subgroup | bool |
false |
no |
create_dbsubgroup_secure | Create Secure Subgroup | bool |
true |
no |
eip_allocation_ids | User-specified primary or secondary private IP address to associate with the Elastic IP address | list(string) |
[] |
no |
enable_firewall_default_rule | Enable or disable the default stateful rule. | bool |
true |
no |
firewall_custom_rule_arn | The stateful rule group arn created outside the module | list(string) |
[] |
no |
firewall_custom_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | list(string) |
[] |
no |
firewall_domain_list | List the domain names you want to take action on. | list(any) |
[ |
no |
firewall_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
14 |
no |
kms_key_arn | The ARN of the KMS Key to use when encrypting log data. | string |
"" |
no |
kubernetes_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | list(string) |
[] |
no |
kubernetes_clusters_secure | List of kubernetes cluster names to creates tags in secure subnets of this VPC | list(string) |
[] |
no |
kubernetes_clusters_type | Use either 'owned' or 'shared' for kubernetes cluster tags | string |
"shared" |
no |
max_az | Max number of AZs | number |
3 |
no |
multi_nat | Number of NAT Instances, 'true' will yield one per AZ while 'false' creates one NAT | bool |
false |
no |
name | Name prefix for the resources of this stack | string |
n/a | yes |
name_pattern | Name pattern to use for resources. Options: default, kebab | string |
"default" |
no |
name_suffix | Adds a name suffix to all resources created | string |
"" |
no |
nat | Deploy NAT instance(s) | bool |
true |
no |
network_firewall | Enable or disable VPC Network Firewall | bool |
false |
no |
newbits | Number of bits to add to the vpc cidr when building subnets | number |
5 |
no |
private_netnum_offset | Start with this subnet for private ones, plus number of AZs | number |
5 |
no |
public_nacl_icmp | Allows ICMP traffic to and from the public subnet | bool |
true |
no |
public_nacl_inbound_tcp_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
public_nacl_inbound_udp_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | list(string) |
[] |
no |
public_nacl_outbound_tcp_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | list(string) |
[ |
no |
public_nacl_outbound_udp_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | list(string) |
[ |
no |
public_netnum_offset | Start with this subnet for public ones, plus number of AZs | number |
0 |
no |
secure_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
10 |
no |
tags | Extra tags to attach to resources | map(string) |
{} |
no |
transit_nacl_inbound_tcp_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
transit_nacl_inbound_udp_ports | UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | list(string) |
[ |
no |
transit_netnum_offset | Start with this subnet for secure ones, plus number of AZs | number |
15 |
no |
transit_subnet | Create a transit subnet for VPC peering (only central account) | bool |
false |
no |
vpc_cidr | Network CIDR for the VPC | string |
n/a | yes |
vpc_cidr_summ | Define cidr used to summarize subnets by tier | string |
"/0" |
no |
vpc_endpoint_dynamodb_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | bool |
true |
no |
vpc_endpoint_s3_gateway | Enable or disable VPC Endpoint for S3 Gateway | bool |
true |
no |
vpc_endpoint_s3_policy | A policy to attach to the endpoint that controls access to the service | string |
`" { |
\"Statement\": [
{
\"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
}
]
}
"| no | | vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br> {<br> name = string<br> policy = optional(string)<br> allowed_cidrs = optional(list(string))<br> }<br> ))</pre> |
[]| no | | vpc\_flow\_logs | Enable or disable VPC Flow Logs |
bool|
true| no | | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group |
number|
365` | no |
Name | Description |
---|---|
cidr_block | CIDR for VPC created |
db_subnet_group_private_id | n/a |
db_subnet_group_public_id | n/a |
db_subnet_group_secure_id | n/a |
firewall_subnet_cidrs | List of firewall subnet CIDRs |
firewall_subnet_ids | List of firewall subnet IDs |
internet_gateway_id | ID of Internet Gateway created |
nat_gateway | n/a |
nat_gateway_ids | List of NAT Gateway IDs |
private_nacl_id | n/a |
private_nacls | n/a |
private_route_table_id | n/a |
private_subnet_cidrs | List of private subnet CIDRs |
private_subnet_ids | List of private subnet IDs |
private_subnets | n/a |
public_nacl_id | n/a |
public_nacls | n/a |
public_route_table_id | n/a |
public_subnet_cidrs | List of public subnet CIDRs |
public_subnet_ids | List of public subnet IDs |
public_subnets | n/a |
secure_db_subnet | n/a |
secure_nacl_id | n/a |
secure_nacls | n/a |
secure_route_table_id | n/a |
secure_subnet_cidrs | List of secure subnet CIDRs |
secure_subnet_ids | List of secure subnet IDs |
secure_subnets | n/a |
transit_nacl_id | n/a |
transit_route_table_id | n/a |
transit_subnets | n/a |
vpc_id | ID for VPC created |
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.