TechNative's VPC boilerplate module.
- Standard 'Module guidelines' from https://docs-mcs.technative.eu/infra-as-code/terraform-code-organization/.
- Any network specific design goals are listed below.
- Do not implement security controls. Security is handled in the security groups.
- Reset and control any default resources as much as possible.
- create VPC
- advanced subnet configuration in JSON
- cheap NAT's (see
input_use_nat_instances)
Use the network.example.json to create your own network. Any users must use the outputs subnet_groups and be configured to use an entire subnet_group. Any additions on the network will then be automatically propagated to its users (e.g. ASG, ALB).
This module defines subnet_groups as collection of subnets that can easily be extended and must be used as an single entity. Each user of subnets must have its subnet_group key configured and fetch any corresponding subnets from the output.subnet_groups. This allows any additionally subnets to be automatically picked up by the users.
Beware: The subnets map key must be added in ascending order and removing any existing subnet must happen by setting is_provisioned to false. The reasoning for this is that we use hashicorp/subnets/cidr which calculates the CIDR blocks for us. These CIDR blocks don't have gaps and are consecutive. Only when the subnets map is extended then this mapping will remain stable.
Any subnet.subnet_group must refer to an existing key in the subnet_groups map. Use networkaddress_bits to define the amount of addresses provisioned for the subnet. This number must be higher than 3.
networkaddress_bits = 4 -> 12 available addresses networkaddress_bits = 8 -> 251 available addresses
Possibility of automatically adding subnet groups when new availability zones arrive. A downside to this is the fact that if many new azs are added then we overflow the available CIDR block. So it's not included for now. Each subnet still requires some manual configuration.
| Name | Version |
|---|---|
| aws | >=5.22.0 |
| Name | Source | Version |
|---|---|---|
| nat_instances | ./nat_instances | n/a |
| s3_flow_logs | [email protected]:wearetechnative/terraform-aws-s3 | 73aa13eeb59184ce88cd9e925e9dc1504cc18940 |
| subnet_addrs | hashicorp/subnets/cidr | 1.0.0 |
| Name | Type |
|---|---|
| aws_default_network_acl.default | resource |
| aws_default_route_table.default | resource |
| aws_default_security_group.default | resource |
| aws_eip.this | resource |
| aws_flow_log.this | resource |
| aws_internet_gateway.this | resource |
| aws_nat_gateway.this | resource |
| aws_network_acl.this | resource |
| aws_network_acl_association.this | resource |
| aws_network_acl_rule.allow_all_inbound | resource |
| aws_network_acl_rule.allow_all_outbound | resource |
| aws_route.internet_gateway | resource |
| aws_route.nat_gateway | resource |
| aws_route_table.this | resource |
| aws_route_table_association.this | resource |
| aws_subnet.this | resource |
| aws_vpc.this | resource |
| aws_vpc_dhcp_options.default | resource |
| aws_vpc_dhcp_options_association.default | resource |
| aws_vpc_endpoint.dynamodb | resource |
| aws_vpc_endpoint.s3 | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.vpc_flow_logs | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| configuration | Configuration object indicating required setup. | object({ |
n/a | yes |
| kms_key_arn | KMS key to use for VPC Flow logs. | string |
n/a | yes |
| name | VPC name | string |
n/a | yes |
| sqs_dlq_arn | SQS DLQ Arn to transfer unprocessed / failed infra messages into. | string |
n/a | yes |
| use_nat_instances | Use cheap (t4g.nano) instances to save cost. | bool |
false |
no |
| vpc_cidr_partition_id | A number between 0 and 255 to prevent overlapping CIDR ranges. | number |
n/a | yes |
| Name | Description |
|---|---|
| subnet_groups | n/a |
| vpc_id | n/a |