{"id":19205710,"url":"https://github.com/fairwindsops/terraform-vpc","last_synced_at":"2025-03-22T01:04:39.533Z","repository":{"id":38179897,"uuid":"44776348","full_name":"FairwindsOps/terraform-vpc","owner":"FairwindsOps","description":"Terraform module to create an AWS VPC","archived":false,"fork":false,"pushed_at":"2024-09-20T17:02:34.000Z","size":292,"stargazers_count":60,"open_issues_count":2,"forks_count":74,"subscribers_count":29,"default_branch":"master","last_synced_at":"2025-03-14T02:05:01.121Z","etag":null,"topics":["aws-vpc","fairwinds-official","terraform"],"latest_commit_sha":null,"homepage":"https://fairwinds.com","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FairwindsOps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"license.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-10-22T22:14:59.000Z","updated_at":"2024-09-20T17:02:38.000Z","dependencies_parsed_at":"2025-01-06T03:08:29.557Z","dependency_job_id":"67adb3ef-9e34-4093-ac26-95d013d8874c","html_url":"https://github.com/FairwindsOps/terraform-vpc","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fterraform-vpc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fterraform-vpc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fterraform-vpc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fterraform-vpc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FairwindsOps","download_url":"https://codeload.github.com/FairwindsOps/terraform-vpc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244728214,"owners_count":20500023,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-vpc","fairwinds-official","terraform"],"created_at":"2024-11-09T13:13:42.152Z","updated_at":"2025-03-22T01:04:39.508Z","avatar_url":"https://github.com/FairwindsOps.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Amazon Web Services VPC Terraform Module\n\nThis Terraform module creates a configurable general purpose [Amazon Web Services VPC](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html). The module offers an opinionated but flexible network topography geared towards general purpose situations with separate public and private subnets. Each VPC can be configured to support one to four availability zones. Private subnet [NAT](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat.html) can be configured via [NAT Gateways](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html). A single [Internet Gateway](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html) is created to provide public routing for public subnets. The module does not configure a bastion or VPN instance for private subnet instance access.\n\nThis module has been tested with Terraform version 0.12.9\n\n## Example VPC Layout: 3 AZ's\n\n![Example VPC: 3AZ](vpc_layout.png)\n\n## Usage\n\n* Include the module in your `main.tf`:\n\n```\nmodule \"vpc\" {\n  source = \"git::ssh://git@github.com/reactiveops/terraform-vpc.git?ref=3.0.0\"\n\n  aws_region = var.aws_region\n\n  az_count =  var.az_count\n  aws_azs = var.aws_azs\n\n  vpc_cidr_base = var.vpc_cidr_base\n\n}\n```\n\n* Create the required variables either in `main.tf` or a separate `variables.tf` file:\n\n```\nvariable \"aws_region\" {}\n\nvariable \"aws_azs\" {}\nvariable \"az_count\" {}\n\nvariable \"vpc_cidr_base\" {}\n\n```\n\n* Assign variable values, for example in a `terraform.tfvars` file:\n\n```\naws_azs = \"us-west-2a, us-west-2b, us-west-2c, us-west-2d\"\naz_count = 3\nvpc_cidr_base = \"10.0\"\n```\n\nThis repo contains a few example `*.tfvars.examples` files showing example variable configurations.\n\n## Configuration Options\n\n### VPC IP Addresses\n\nGenerated VPC's will have a /16 CIDR block providing up to 65,536 IP addresses. Choose the IP range you want by setting the `vpc_cidr_base` variable to the first two numbers of the desired IP range. All subnets will use IP CIDR's built on this pattern.\n\n```\nvpc_cidr_base = \"10.1\"\n```\n\nThe following subnets will be created in each AZ:\n\n* Public\n  * Resources requiring public IP addresses such as VPN/bastion instances and Elastic Load Balancers.\n* Private working\n  * Internal non-production resources such as web servers and database instances.\n* Private production\n  * Internal production resources such as web servers and database instances.\n* Private admin\n  * Internal shared administrative resources such as build server instances.\n\nEach subnet will be a /21 block providing up to 2,048 IP addresses per subnet and AZ.\n\n### AZ Count\n\nYour VPC can span between one and four AZ's. You can select the specific AZ's that should be used.\n\n```\naws_azs = \"us-west-2a, us-west-2b, us-west-2c, us-west-2d\"\naz_count = 4\n```\n\n### NAT Gateways\n\n`multi_az_nat_gateway`\n\nIdeally, in a multi-AZ setup, there is at least one NAT Gateway residing in each availability zone.  This allows the outbound traffic from private subnets in each AZ to function independently, and allow for some resilience in-case of an AZ outage.\n\n`single_nat_gateway`\n\nIn some cases, it may be necessary to use a single NAT Gateway, in a single AZ, to pass all outbound traffic from the VPC.  This is usually a result of more than one private subnet needing to share a single route table. Concessions must be made in this situation since a route table can only contain a single default route.  This configuration introduces a single point of failure (SPOF) in to a multi-AZ environment and should be used only when necessary.\n\nDefault values assume a multi-AZ NAT Gateway configuration:\n```\nvariable \"multi_az_nat_gateway\" {\n  description = \"place a NAT gateway in each AZ\"\n  default = 1\n}\n\nvariable \"single_nat_gateway\" {\n  description = \"use a single NAT gateway to serve outbound traffic for all AZs\"\n  default = 0\n}\n```\n\nTo use a single NAT gateway, set `multi_az_nat_gateway = 0` and `single_nat_gateway = 1` in `terraform.tfvars`\n\n### S3 VPC Gateway Endpoint\n\n[VPC Gateway Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html) route traffic to S3 or DynamoDB services over private networks avoiding NAT gateways and associated data processing charges on private subnets. Gateway endpoints are similar to NAT and Internet Gateways. There is a gateway endpoint resource and route table entries to direct specific traffic to them.\n\nSetting TF variable `enable_s3_vpc_endpoint` to a truthy value creates an S3 VPC gateway endpoint and adds routes to all private subnet route tables. With this enabled all S3 traffic will route over private networks.\n\nConsiderations when enabling:\n\n* There is no additional cost for having this enabled.\n* **ENABLING WILL DISRUPT CONNECTIONS** When initially enabling this any inflight S3 connections in the VPC [will be interrupted](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html).\n* [DNS resolution must be enabled for the VPC].(https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations)\n\n#### Additional Route Table Routes\n\nBy default when enabled all private subnet route tables will get a route for the S3 endpoint. You can pass additional route table ids for additional routes to be created. This is useful for route tables managed by Kops for example.\n\n#### Endpoint S3 policy\n\nEach endpoint has an associated IAM style policy attached. This module's default policy allows all access but can be overriden via TF variable `s3_vpc_endpoint_policy`. S3 bucket and IAM policies still apply. The endpoint policy is an additional limitation for connections through the endpoint.\n\n### Tagging\n\nThe subnets created can include custom tags by setting variables of the form `SUBNETNAME_subnet_tags`.\n\n| Subnet          | Variable                    |\n| --------------- | --------------------------- |\n| admin           | admin_subnet_tags           |\n| public          | public_subnet_tags          |\n| private_prod    | private_prod_subnet_tags    |\n| private_working | private_working_subnet_tags |\n\nThe routing tables can include custom tags by setting variables of the form `TABLENAME_route_table_tags`.\n\n| Route Table | Variable                 |\n| ----------- | ------------------------ |\n| public      | public_route_table_tags  |\n| private     | private_route_table_tags |\n\nThe internet gateway can be tagged with the variable `internet_gateway_tags`\n\n## Contributing\nPlease read the [code of conduct](CODE_OF_CONDUCT.md).\n\n### Testing\nThis repo contains a few `.tfvars.example` files in the root illustrating different module usage configuration patterns. Each `.tfvars.example` file has a corresponding tfplan output file under `test/fixtures` representing the expected output. The project Makefile includes targets for installing a specific version of Terraform and comparing results of a `terraform plan` against expected output files.\n\n#### Setup\n\nRunning `make test` requires an actual AWS account for plan generation. The AWS account used requires read-only access to VPC/EC2 resources. No changes are applied. Credentials should be inferred from your awscli config, usually found in `~/.aws/config`.\n\n#### Executing tests\n\n```\n\u003e make test\n```\n\nMakefile defaults expect execution on OS X. To execute on Linux:\n\n```\n\u003e make test TF_PLATFORM=Linux\n```\n\n\n\u003c!-- Begin boilerplate --\u003e\n## Join the Fairwinds Open Source Community\n\nThe goal of the Fairwinds Community is to exchange ideas, influence the open source roadmap,\nand network with fellow Kubernetes users.\n[Chat with us on Slack](https://join.slack.com/t/fairwindscommunity/shared_invite/zt-e3c6vj4l-3lIH6dvKqzWII5fSSFDi1g)\n[join the user group](https://www.fairwinds.com/open-source-software-user-group) to get involved!\n\n\u003ca href=\"https://www.fairwinds.com/t-shirt-offer?utm_source=terraform-vpc\u0026utm_medium=terraform-vpc\u0026utm_campaign=terraform-vpc-tshirt\"\u003e\n  \u003cimg src=\"https://www.fairwinds.com/hubfs/Doc_Banners/Fairwinds_OSS_User_Group_740x125_v6.png\" alt=\"Love Fairwinds Open Source? Share your business email and job title and we'll send you a free Fairwinds t-shirt!\" /\u003e\n\u003c/a\u003e\n\n## Other Projects from Fairwinds\n\nEnjoying terraform-vpc? Check out some of our other projects:\n* [Polaris](https://github.com/FairwindsOps/Polaris) - Audit, enforce, and build policies for Kubernetes resources, including over 20 built-in checks for best practices\n* [Goldilocks](https://github.com/FairwindsOps/Goldilocks) - Right-size your Kubernetes Deployments by compare your memory and CPU settings against actual usage\n* [Pluto](https://github.com/FairwindsOps/Pluto) - Detect Kubernetes resources that have been deprecated or removed in future versions\n* [Nova](https://github.com/FairwindsOps/Nova) - Check to see if any of your Helm charts have updates available\n* [rbac-manager](https://github.com/FairwindsOps/rbac-manager) - Simplify the management of RBAC in your Kubernetes clusters\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffairwindsops%2Fterraform-vpc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffairwindsops%2Fterraform-vpc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffairwindsops%2Fterraform-vpc/lists"}