https://github.com/truefoundry/terraform-aws-truefoundry-network
Truefoundry AWS Network Module
https://github.com/truefoundry/terraform-aws-truefoundry-network
Last synced: 3 months ago
JSON representation
Truefoundry AWS Network Module
- Host: GitHub
- URL: https://github.com/truefoundry/terraform-aws-truefoundry-network
- Owner: truefoundry
- License: apache-2.0
- Created: 2023-07-05T13:24:08.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2025-12-15T11:07:15.000Z (6 months ago)
- Last Synced: 2026-02-13T08:05:10.593Z (4 months ago)
- Language: HCL
- Size: 68.4 KB
- Stars: 0
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# terraform-aws-truefoundry-network
Truefoundry AWS Network Module
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.4 |
| [aws](#requirement\_aws) | ~> 5.57 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | ~> 5.57 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [aws-vpc-module](#module\_aws-vpc-module) | terraform-aws-modules/vpc/aws | 5.19.0 |
| [vpc\_flow\_logs\_bucket](#module\_vpc\_flow\_logs\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.15.0 |
## Resources
| Name | Type |
|------|------|
| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
| [aws_iam_policy_document.flow_logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_subnet.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
| [aws_subnet.public_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID | `string` | n/a | yes |
| [aws\_region](#input\_aws\_region) | VPC region | `string` | n/a | yes |
| [azs](#input\_azs) | Availability Zones | `list(string)` | n/a | yes |
| [cluster\_name](#input\_cluster\_name) | AWS EKS cluster name needed for Shared cluster | `string` | `""` | no |
| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway - This is necessary for the cluster to work | `bool` | `true` | no |
| [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | External NAT IPs IDs | `list(string)` | `[]` | no |
| [flow\_logs\_bucket\_attach\_deny\_insecure\_transport\_policy](#input\_flow\_logs\_bucket\_attach\_deny\_insecure\_transport\_policy) | Flag to attach deny insecure transport policy to the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_attach\_policy](#input\_flow\_logs\_bucket\_attach\_policy) | Flag to attach policy to the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_attach\_public\_policy](#input\_flow\_logs\_bucket\_attach\_public\_policy) | Flag to attach public policy to the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_attach\_require\_latest\_tls\_policy](#input\_flow\_logs\_bucket\_attach\_require\_latest\_tls\_policy) | Flag to attach require latest TLS policy to the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_block\_public\_acls](#input\_flow\_logs\_bucket\_block\_public\_acls) | Flag to block public ACLs on the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_block\_public\_policy](#input\_flow\_logs\_bucket\_block\_public\_policy) | Flag to block public policy on the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_enable\_override](#input\_flow\_logs\_bucket\_enable\_override) | Enable override for s3 bucket name. You must pass flow\_logs\_bucket\_override\_name | `bool` | `false` | no |
| [flow\_logs\_bucket\_encryption\_algorithm](#input\_flow\_logs\_bucket\_encryption\_algorithm) | Algorithm used for encrypting the default bucket. | `string` | `"AES256"` | no |
| [flow\_logs\_bucket\_encryption\_key\_arn](#input\_flow\_logs\_bucket\_encryption\_key\_arn) | ARN of the key used to encrypt the bucket. Only needed if you set aws:kms as encryption algorithm. | `string` | `null` | no |
| [flow\_logs\_bucket\_force\_destroy](#input\_flow\_logs\_bucket\_force\_destroy) | Force destroy for the default bucket. | `bool` | `false` | no |
| [flow\_logs\_bucket\_ignore\_public\_acls](#input\_flow\_logs\_bucket\_ignore\_public\_acls) | Flag to ignore public ACLs on the bucket | `bool` | `true` | no |
| [flow\_logs\_bucket\_override\_name](#input\_flow\_logs\_bucket\_override\_name) | Override name for s3 bucket. flow\_logs\_bucket\_enable\_override must be set true | `string` | `""` | no |
| [flow\_logs\_bucket\_restrict\_public\_buckets](#input\_flow\_logs\_bucket\_restrict\_public\_buckets) | Flag to restrict public buckets on the bucket | `bool` | `true` | no |
| [flow\_logs\_enable](#input\_flow\_logs\_enable) | Enable VPC flow logs | `bool` | `false` | no |
| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | One NAT Gateway for each AZ. | `bool` | `false` | no |
| [private\_subnet\_extra\_tags](#input\_private\_subnet\_extra\_tags) | Extra tags for VPC private subnets | `map(string)` | `{}` | no |
| [private\_subnets\_cidrs](#input\_private\_subnets\_cidrs) | Assigns IPv4 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| [private\_subnets\_ids](#input\_private\_subnets\_ids) | SHIM: Private Subnets IDs | `list(string)` | `[]` | no |
| [public\_subnet\_extra\_tags](#input\_public\_subnet\_extra\_tags) | Extra tags for VPC public subnets | `map(string)` | `{}` | no |
| [public\_subnets\_cidrs](#input\_public\_subnets\_cidrs) | Assigns IPv4 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list(string)` | `[]` | no |
| [public\_subnets\_ids](#input\_public\_subnets\_ids) | SHIM: Public Subnets IDs | `list(string)` | `[]` | no |
| [shim](#input\_shim) | If true will not create the network and forward the input values to the same outputs. | `bool` | `false` | no |
| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Single NAT Gateway, shared for all AZ and subnets | `bool` | `true` | no |
| [tags](#input\_tags) | AWS Tags common to all the resources created | `map(string)` | `{}` | no |
| [use\_external\_elastic\_ips](#input\_use\_external\_elastic\_ips) | Use external elastic IPs | `bool` | `false` | no |
| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC. | `string` | `""` | no |
| [vpc\_id](#input\_vpc\_id) | SHIM: VPC Id | `string` | `""` | no |
## Outputs
| Name | Description |
|------|-------------|
| [availability\_zones](#output\_availability\_zones) | List of availability zones for VPC |
| [private\_subnets\_cidrs](#output\_private\_subnets\_cidrs) | List of private subnet CIDRs in the VPC |
| [private\_subnets\_id](#output\_private\_subnets\_id) | List of private subnet IDs in the VPC |
| [public\_subnets\_cidrs](#output\_public\_subnets\_cidrs) | List of public subnet CIDRs in the VPC |
| [public\_subnets\_id](#output\_public\_subnets\_id) | List of public subnet IDs in the VPC |
| [region](#output\_region) | AWS region of VPC |
| [validate\_private\_subnet\_tags](#output\_validate\_private\_subnet\_tags) | Validates that all private subnets have the required Kubernetes tags for proper ELB and cluster integration |
| [validate\_public\_subnet\_tags](#output\_validate\_public\_subnet\_tags) | Validates that all public subnets have the required Kubernetes tags for proper ELB and cluster integration |
| [vpc\_id](#output\_vpc\_id) | VPC ID of the network |
## Subnet Tag Validation (Shim Mode)
When using the module in shim mode (with existing subnets), the following outputs are available:
- `private_subnets_tags`: List of tag maps for each private subnet
- `public_subnets_tags`: List of tag maps for each public subnet
You should check these outputs to ensure your subnets have the required tags:
**Private Subnets:**
- `kubernetes.io/cluster/$CLUSTER_NAME`: "shared"
- `subnet`: "private"
- `kubernetes.io/role/internal-elb`: "1"
**Public Subnets:**
- `kubernetes.io/cluster/$CLUSTER_NAME`: "shared"
- `subnet`: "public"
- `kubernetes.io/role/elb`: "1"
If any subnet is missing these tags, you must add them manually in the AWS console or via CLI.