https://github.com/wearetechnative/terraform-aws-network
Terraform module to create AWS network resources - VPC, public / private networks, NAT and has advanced network configuration via .json
https://github.com/wearetechnative/terraform-aws-network
Last synced: 3 months ago
JSON representation
Terraform module to create AWS network resources - VPC, public / private networks, NAT and has advanced network configuration via .json
- Host: GitHub
- URL: https://github.com/wearetechnative/terraform-aws-network
- Owner: wearetechnative
- License: apache-2.0
- Created: 2023-10-18T13:50:12.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-01-14T12:23:33.000Z (over 1 year ago)
- Last Synced: 2025-01-31T12:12:35.280Z (over 1 year ago)
- Language: HCL
- Size: 185 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Terraform AWS [Network] 
https://img.shields.io/github/actions/workflow/status///test.yml?branch=main
TechNative's VPC boilerplate module.
[](https://www.technative.nl)
## Design goals
- Standard 'Module guidelines' from https://docs-mcs.technative.eu/infra-as-code/terraform-code-organization/.
- Any network specific design goals are listed below.
- Do not implement security controls. Security is handled in the security groups.
- Reset and control any default resources as much as possible.
## Features
- create VPC
- advanced subnet configuration in JSON
- cheap NAT's (see `input_use_nat_instances`)
## Usage
Use the network.example.json to create your own network. Any users must use the
outputs subnet_groups and be configured to use an entire subnet_group. Any
additions on the network will then be automatically propagated to its users
(e.g. ASG, ALB).
This module defines subnet_groups as collection of subnets that can easily be
extended and must be used as an single entity. Each user of subnets must have
its subnet_group key configured and fetch any corresponding subnets from the
output.subnet_groups. This allows any additionally subnets to be automatically
picked up by the users.
Beware: The subnets map key must be added in ascending order and removing any
existing subnet must happen by setting is_provisioned to false. The reasoning
for this is that we use hashicorp/subnets/cidr which calculates the CIDR blocks
for us. These CIDR blocks don't have gaps and are consecutive. Only when the
subnets map is extended then this mapping will remain stable.
Any subnet.subnet_group must refer to an existing key in the subnet_groups map.
Use networkaddress_bits to define the amount of addresses provisioned for the
subnet. This number must be higher than 3.
networkaddress_bits = 4 -> 12 available addresses
networkaddress_bits = 8 -> 251 available addresses
## Future work / ideas
Possibility of automatically adding subnet groups when new availability zones
arrive. A downside to this is the fact that if many new azs are added then we
overflow the available CIDR block. So it's not included for now. Each subnet
still requires some manual configuration.
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >=5.22.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [nat\_instances](#module\_nat\_instances) | ./nat_instances | n/a |
| [s3\_flow\_logs](#module\_s3\_flow\_logs) | git@github.com:wearetechnative/terraform-aws-s3 | 73aa13eeb59184ce88cd9e925e9dc1504cc18940 |
| [subnet\_addrs](#module\_subnet\_addrs) | hashicorp/subnets/cidr | 1.0.0 |
## Resources
| Name | Type |
|------|------|
| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_flow_log.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
| [aws_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
| [aws_network_acl_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_association) | resource |
| [aws_network_acl_rule.allow_all_inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
| [aws_network_acl_rule.allow_all_outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
| [aws_route.internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [aws_route.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [aws_route_table.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
| [aws_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
| [aws_subnet.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource |
| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource |
| [aws_vpc_dhcp_options.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource |
| [aws_vpc_dhcp_options_association.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource |
| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [configuration](#input\_configuration) | Configuration object indicating required setup. |
object({
subnet_groups : map(object({
nat_gateway : bool
internet_gateway : bool
}))
subnets : map(object({
name : string
is_provisioned : bool
availability_zone : string
networkaddress_bits : number
subnet_group : string
}))
}) | n/a | yes |
| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS key to use for VPC Flow logs. | `string` | n/a | yes |
| [name](#input\_name) | VPC name | `string` | n/a | yes |
| [sqs\_dlq\_arn](#input\_sqs\_dlq\_arn) | SQS DLQ Arn to transfer unprocessed / failed infra messages into. | `string` | n/a | yes |
| [use\_nat\_instances](#input\_use\_nat\_instances) | Use cheap (t4g.nano) instances to save cost. | `bool` | `false` | no |
| [vpc\_cidr\_partition\_id](#input\_vpc\_cidr\_partition\_id) | A number between 0 and 255 to prevent overlapping CIDR ranges. | `number` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| [subnet\_groups](#output\_subnet\_groups) | n/a |
| [vpc\_id](#output\_vpc\_id) | n/a |