The purpose of this module is to provide a consistent way to provision a VPC and associated resources in AWS.
Add example usage here
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
availability_zones = var.availability_zones
enable_ipam = var.enable_ipam
enable_ssm = var.enable_ssm
enable_transit_gateway_appliance_mode = true
ipam_pool_id = data.aws_vpc_ipam_pool.current.id
name = var.name
private_subnet_netmask = var.private_subnet_netmask
public_subnet_netmask = var.public_subnet_netmask
tags = var.tags
transit_gateway_id = data.aws_ec2_transit_gateway.this.id
vpc_cidr = var.vpc_cidr
transit_gateway_rotues = {
private = aws_ec2_managed_prefix_list.internal.id
}
}To enable NAT gateways in your VPC, you can use the enable_nat_gateway and nat_gateway_mode variables. Here are some examples:
# Single NAT Gateway for all AZs
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
nat_gateway_mode = "single"
# ... other configuration ...
}
# One NAT Gateway per AZ for high availability
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
nat_gateway_mode = "one_per_az"
# ... other configuration ...
}Remember that NAT gateways incur costs, so choose the configuration that best balances your availability requirements and budget.
The module supports connecting your VPC to an AWS Transit Gateway. Here are some common configurations:
# Basic Transit Gateway connection
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
transit_gateway_id = "tgw-1234567890abcdef0" # Your Transit Gateway ID
# Default route to Transit Gateway for private subnets
transit_gateway_routes = {
private = "10.0.0.0/8" # Route all 10.0.0.0/8 traffic to Transit Gateway
}
# ... other configuration ...
}
# Transit Gateway with appliance mode (for network appliances)
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_transit_gateway_appliance_mode = true
transit_gateway_id = "tgw-1234567890abcdef0"
# Using a prefix list for routes
transit_gateway_routes = {
private = "pl-1234567890abcdef0" # AWS prefix list ID
}
# ... other configuration ...
}The Transit Gateway configuration supports:
- Connecting to an existing Transit Gateway
- Appliance mode for network appliance deployments
- Custom routing using CIDR blocks or prefix lists
- Optional NAT Gateway access for Transit Gateway subnets
The module supports creating VPC endpoints for AWS services. Here are some common configurations:
# Enable SSM endpoints (Session Manager)
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_ssm = true
# ... other configuration ...
}
# Enable specific private endpoints
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_private_endpoints = [
"ecr.api",
"ecr.dkr",
"s3",
"logs"
]
# ... other configuration ...
}You can use enable_ssm as a shortcut to enable the SSM endpoints.
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_ssm = true
}To enable DNS request logging in your VPC, you can use the enable_dns_request_logging variable. This feature allows you to log DNS queries made within your VPC, which can be useful for monitoring and troubleshooting.
Here is an example configuration:
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_dns_request_logging = true
# ... other configuration ...
}The module supports automatically associating shared Route53 Resolver Rules with your VPC. By default, any resolver rules shared with your account will be automatically associated. Here are some configuration examples:
# Disable automatic resolver rule association
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_route53_resolver_rules = false
# ... other configuration ...
}
# Exclude specific resolver rules from association
module "vpc" {
source = "appvia/network/aws"
version = "0.0.8"
enable_route53_resolver_rules = true
exclude_route53_resolver_rules = ["rslvr-rr-1234567890abcdef0"] # Resolver Rule IDs to exclude
# ... other configuration ...
}By default (enable_route53_resolver_rules = true), the module will:
- Automatically discover all resolver rules shared with your account
- Associate them with the VPC being created
- Allow you to exclude specific rules using the
exclude_route53_resolver_rulesvariable
To add more subnets to your VPC, you can extend the subnet configurations in your Terraform code. Here are some examples:
module "vpc" {
subnets = {
public = {
cidr_blocks = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
tags = {
Name = "public-subnets"
}
}
}
}VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon RDS databases, and Amazon Redshift clusters, into a shared, centrally managed VPC. The benefits of VPC sharing include:
- Cost Savings: By sharing a single VPC across multiple accounts, you can reduce the number of VPCs needed, which can lead to cost savings.
- Simplified Network Management: Centralized management of network resources simplifies the administration and monitoring of network configurations.
- Improved Security: VPC sharing allows for consistent security policies and monitoring across multiple accounts, enhancing the overall security posture.
Remember to:
- Ensure CIDR blocks don't overlap
- Consider your IP address space requirements
- Follow your organization's IP addressing scheme
- Update route tables and network ACLs accordingly
The module include a convenient way to share subnets using AWS Resource Access Manager (RAM). Here is an example configuration:
## Alternatively you specify the subnets directly
module "vpc" {
source = "../.."
availability_zones = 3
name = "development"
tags = local.tags
vpc_cidr = "10.90.0.0/16"
subnets = {
prod = {
netmask = 24
}
"dev" = {
netmask = 24
}
}
}
## Note, due to the arns being dynamic this will be need to perform with a target,
## i.e vpc must exist before the share can be applied.
module "share_dev" {
source = "../../modules/shared"
name = "dev"
share = { accounts = ["123456789012"] }
subnet_arns = module.vpc.all_subnets_by_name["dev"].arns
tags = local.tags
depends_on = [module.vpc]
}The terraform-docs utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.ymlfile - Fetch the
terraform-docsbinary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Is the name of the network to provision | string |
n/a | yes |
| tags | Tags to apply to all resources | map(string) |
n/a | yes |
| availability_zones | The number of availability zone the network should be deployed into | number |
2 |
no |
| dns_query_log_retention | The number of days to retain DNS query logs | number |
7 |
no |
| enable_default_route_table_association | Indicates the transit gateway default route table should be associated with the subnets | bool |
true |
no |
| enable_default_route_table_propagation | Indicates the transit gateway default route table should be propagated to the subnets | bool |
true |
no |
| enable_dns_request_logging | Enable logging of DNS requests | bool |
false |
no |
| enable_private_endpoints | Indicates the network should provision private endpoints | list(string) |
[] |
no |
| enable_route53_resolver_rules | Automatically associates any shared route53 resolver rules with the VPC | bool |
true |
no |
| enable_ssm | Indicates we should provision SSM private endpoints | bool |
false |
no |
| enable_transit_gateway_appliance_mode | Indicates the network should be connected to a transit gateway in appliance mode | bool |
false |
no |
| enable_transit_gateway_subnet_natgw | Indicates if the transit gateway subnets should be connected to a nat gateway | bool |
false |
no |
| exclude_route53_resolver_rules | List of resolver rules to exclude from association | list(string) |
[] |
no |
| ipam_pool_id | An optional pool id to use for IPAM pool to use | string |
null |
no |
| nat_gateway_mode | The configuration mode of the NAT gateways | string |
"none" |
no |
| private_subnet_netmask | The netmask for the private subnets | number |
0 |
no |
| private_subnet_tags | Additional tags for the private subnets | map(string) |
{} |
no |
| public_subnet_netmask | The netmask for the public subnets | number |
0 |
no |
| public_subnet_tags | Additional tags for the public subnets | map(string) |
{} |
no |
| subnets | Additional subnets to create in the network, keyed by the subnet name | any |
{} |
no |
| transit_gateway_id | If enabled, and not lookup is disabled, the transit gateway id to connect to | string |
null |
no |
| transit_gateway_routes | If enabled, this is the cidr block to route down the transit gateway | map(string) |
{ |
no |
| transit_subnet_tags | Additional tags for the transit subnets | map(string) |
{} |
no |
| vpc_cidr | An optional cidr block to assign to the VPC (if not using IPAM) | string |
null |
no |
| vpc_instance_tenancy | The name of the VPC to create | string |
"default" |
no |
| vpc_netmask | An optional range assigned to the VPC | number |
null |
no |
| Name | Description |
|---|---|
| all_subnets_by_name | A map of the subnet name to the subnet ID i.e. private/us-east-1a => subnet_id |
| nat_public_ips | The public IPs of the NAT Gateways i.e [public_ip, public_ip] |
| natgw_id_per_az | The IDs of the NAT Gateways (see aws-ia/vpc/aws for details) |
| private_route_table_ids | The IDs of the private route tables ie. [route_table_id, route_table_id] |
| private_subnet_attributes_by_az | The attributes of the private subnets (see aws-ia/vpc/aws for details) |
| private_subnet_cidr_by_id | A map of the private subnet ID to CIDR block i.e. us-west-2a => subnet_cidr |
| private_subnet_cidrs | A list of the CIDRs for the private subnets |
| private_subnet_id_by_az | A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet_id |
| private_subnet_ids | The IDs of the private subnets i.e. [subnet_id, subnet_id] |
| public_route_table_ids | The IDs of the public route tables ie. [route_table_id, route_table_id] |
| public_subnet_attributes_by_az | The attributes of the public subnets (see aws-ia/vpc/aws for details) |
| public_subnet_cidr_by_id | A map of the public subnet ID to CIDR block i.e. us-west-2a => subnet_cidr |
| public_subnet_cidrs | A list of the CIDRs for the public subnets i.e. [subnet_cidr, subnet_cidr] |
| public_subnet_id_by_az | A map of availability zone to subnet id of the public subnets i.e. eu-west-2a => subnet_id |
| public_subnet_ids | The IDs of the public subnets i.e. [subnet_id, subnet_id] |
| rt_attributes_by_type_by_az | The attributes of the route tables (see aws-ia/vpc/aws for details) |
| subnets | The subnets created by the module |
| transit_gateway_attachment_id | The ID of the transit gateway attachment if enabled |
| transit_route_table_by_az | A map of availability zone to transit gateway route table ID i.e eu-west-2a => route_table_id |
| transit_route_table_ids | The IDs of the transit gateway route tables ie. [route_table_id, route_table_id] |
| transit_subnet_attributes_by_az | The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details) |
| transit_subnet_ids | The IDs of the transit gateway subnets ie. [subnet_id, subnet_id] |
| vpc_attributes | The attributes of the VPC (see aws-ia/vpc/aws for details) |
| vpc_cidr | The CIDR block of the VPC |
| vpc_id | The ID of the VPC |