Terraform modules networking related vpc,subnets,route tables..
Important
These modules are originally designed to be used within Skyscrapers and are tailored mostly to our own needs. They may also be suitable for your own use cases, however in general we recommend using the excellent terraform-aws-vpc module instead.
This module will create a vpc with the option to specify several types of subnets:
- public_lb_subnets
- private_app_subnets
- private_db_subnets
- private_management_subnets
It will also create the required NAT Gateways (in separate public_nat subnets) and route tables for the private subnets. There's option for either a single NAT gateway or one per Availability Zone (default). The private_app and private_db subnets are private subnets.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| Name | Source | Version |
|---|---|---|
| private_app_subnets | ../subnets | n/a |
| private_db_subnets | ../subnets | n/a |
| private_management_subnets | ../subnets | n/a |
| public_lb_subnets | ../subnets | n/a |
| public_nat_subnets | ../subnets | n/a |
| Name | Type |
|---|---|
| aws_eip.nat_gateway | resource |
| aws_internet_gateway.gw | resource |
| aws_nat_gateway.gateway | resource |
| aws_route.private | resource |
| aws_route.public | resource |
| aws_route_table.private | resource |
| aws_route_table.public | resource |
| aws_vpc.main | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| availability_zones | List of AZs to use for the subnets. In general we recommend specifying 3 AZs | list(string) |
n/a | yes |
| cidr_block | CIDR block you want to have in your VPC | any |
n/a | yes |
| enable_nat_gateway | Whether to deploy NAT Gateways | bool |
true |
no |
| enable_private_app_subnets | Whether to deploy private 'App' subnets | bool |
true |
no |
| enable_private_db_subnets | Whether to deploy private 'Database' subnets | bool |
true |
no |
| enable_private_management_subnets | Whether to deploy private 'Management' subnets | bool |
false |
no |
| enable_public_lb_subnets | Whether to deploy the public 'Load Balancer' subnets | bool |
true |
no |
| extra_tags_private_app | Private app subnets extra tags | map(string) |
{} |
no |
| extra_tags_private_db | Private database subnets extra tags | map(string) |
{} |
no |
| extra_tags_private_management | Private management subnets extra tags | map(string) |
{} |
no |
| extra_tags_public_lb | Public load balancer subnets extra tags | map(string) |
{} |
no |
| extra_tags_public_nat | Public nat subnets extra tags | map(string) |
{} |
no |
| extra_tags_vpc | VPC extra tags | map(string) |
{} |
no |
| name | Main name for your your VPC, subnets, etc. | string |
"production" |
no |
| netnum_private_app | First number of subnet to start of for private_app subnets | string |
"20" |
no |
| netnum_private_db | First number of subnet to start of for private_db subnets | string |
"30" |
no |
| netnum_private_management | First number of subnet to start of for private_management subnets | string |
"200" |
no |
| netnum_public_lb | First number of subnet to start of for public_lb subnets | string |
"10" |
no |
| netnum_public_nat | First number of subnet to start of for public_nat subnets | string |
"0" |
no |
| single_nat_gateway | Whether to use a single NAT Gateway or one per enabled Availability Zone. The number of NAT Gateways also determines the number of private route tables created | bool |
false |
no |
| tags | Optional Tags | map(string) |
{} |
no |
| Name | Description |
|---|---|
| default_network_acl_id | Id of the default network acl |
| nat_gateway_ids | n/a |
| nat_gateway_ips | n/a |
| private_app_subnets | List of the private_app subnets id created |
| private_db_subnets | List of the private_db subnets id created |
| private_management_subnets | List of the private_management subnets id created |
| private_rts | List of the ids of the private route tables created |
| public_lb_subnets | List of the public_lb subnets id created |
| public_nat_subnets | List of the public_nat subnets id created |
| public_rts | List of the ids of the public route tables created |
| vpc_id | The id of the vpc created |
data "aws_availability_zones" "available" {
state = "available"
}
module "vpc" {
source = "github.com/skyscrapers/terraform-network//vpc?ref=6.0.0"
cidr_block = "172.16.0.0/16"
name = "test"
availability_zones = slice(data.aws_availability_zones.available.names, 0, 3)
enable_nat_gateway = true
single_nat_gateway = false
extra_tags_public_lb = {
"kubernetes.io/role/elb" = "1"
}
}Module to create a VPC peering connection between two VPCs. It creates the needed resources on both ends of the peering connection, thus it requires two different AWS providers.
It also creates the routing between the two VPCs if the route tables are provided.
No requirements.
| Name | Version |
|---|---|
| aws.source | n/a |
| aws.target | n/a |
No modules.
| Name | Type |
|---|---|
| aws_route.source_to_target | resource |
| aws_route.target_to_source | resource |
| aws_vpc_peering_connection.peering | resource |
| aws_vpc_peering_connection_accepter.peering | resource |
| aws_vpc_peering_connection_options.peering_accepter | resource |
| aws_vpc_peering_connection_options.peering_requester | resource |
| aws_vpc.source | data source |
| aws_vpc.target | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| source_name | Name of the source VPC | string |
n/a | yes |
| source_route_table_ids | List of route table IDs from the source VPC that should be routable to the target VPC | list(string) |
n/a | yes |
| source_vpc_id | ID of the source VPC | string |
n/a | yes |
| target_account_id | AWS account id of the target VPC | string |
n/a | yes |
| target_name | Name of the target VPC | string |
n/a | yes |
| target_route_table_ids | List of route table IDs from the target VPC that should be routable to the source VPC | list(string) |
n/a | yes |
| target_vpc_id | ID of the target VPC | string |
n/a | yes |
| tags | AWS tags to apply to the created resources | map(string) |
{} |
no |
| target_region | AWS region of the target VPC (optional) | string |
null |
no |
| Name | Description |
|---|---|
| vpc_peering_id | ID of the VPC peering connection |
In v6 of this module we have made several changes to simplify the VPC module and its usage. The main changes are:
- removed the
securitygroupssubmodules and removed the nat_gateway module - required to specify
availability_zonesand removedamount_*_subnetsvariables. This will be used to determine the amount of subnets to create for each group, so you can no longer specify the amount of subnets per group directly. It also determines several other things, most importantly the amount of NAT Gateways to deploy - integrated creation of NAT gateways into the main
vpcmodule itself - renamed the
public_nat-bastionsubnets topublic_natsubnets
Related to this change, we have simplified the inputs for the vpc module.
Removed vars:
amount_public_nat_bastion_subnets: this will be determind by the amount of NAT Gateways to deploynumber_private_rt: this will be determind by the amount of NAT Gateways to deploynumber_nat_gateways: this is now controlled by the newenable_nat_gatewayandsingle_nat_gatewayvariablesamount_public_lb_subnets: this will be determind by the amount of Availability Zonesamount_private_app_subnets: this will be determind by the amount of Availability Zonesamount_private_db_subnets: this will be determind by the amount of Availability Zonesamount_private_management_subnets: this will be determind by the amount of Availability Zones
New vars:
enable_nat_gateway(default: true): Whether to deploy NAT Gatewayssingle_nat_gateway(default: false): Whether to deploy a single NAT Gateway or one per AZenable_public_lb_subnets(default: true): Whether to deploy public LB subnetsenable_private_app_subnets(default: true): Whether to deploy private app subnetsenable_private_db_subnets(default: true): Whether to deploy private DB subnetsenable_private_management_subnets(default: false): Whether to deploy private management subnets
Remaned:
netnum_public_nat-bastion->netnum_public_nat
If you deployed the vpc and nat_gateway modules separately, you will need to remove the nat_gateway module from your code and update the vpc module to use the new *_nat_gateway variables. You can use moved blocks to migrate the NAT Gateway resources to the new vpc module:
moved {
from = module.nat_gateway.aws_eip.nat_gateway
to = module.vpc.aws_eip.nat_gateway
}
moved {
from = module.nat_gateway.aws_nat_gateway.gateway
to = module.vpc.aws_nat_gateway.gateway
}
moved {
from = module.nat_gateway.aws_route.r
to = module.vpc.aws_route.private
}Starting with v5, we've changed how naming and tagging of resources happen within the modules. In earlier versions, a resource's name was derived from the project and environment variables.
Starting with v5, we only provide a name variable, so make sure to update your code accordingly. In most cases this shouldn't be a breaking change: names for VPCs, subnets, route tables etc can be changed without a destroy/recreate of the resources.
Important: The exception is for Security Groups, so eg. in case of the securitygroups/all module, you should specify name = "sg_all_myproject_myenv" to keep the old name.
We've also removed our default, hardcoded tags for Project and Environment. You can still re-add these via the respective tags variables, or use the default_tags parameter from the AWS provider.
The Terraform state migration commands to migrate from VPC module v2.x to v3.0 and up.
terraform state mv module.vpc.aws_route_table_association.public_nat-bastion_hosts module.vpc.module.public_nat-bastion_subnets.aws_route_table_association.subnet_association
terraform state mv module.vpc.aws_route_table_association.private_app[0] module.vpc.module.private_app_subnets.aws_route_table_association.subnet_association[0]
terraform state mv module.vpc.aws_route_table_association.private_app[1] module.vpc.module.private_app_subnets.aws_route_table_association.subnet_association[1]
terraform state mv module.vpc.aws_route_table_association.private_app[2] module.vpc.module.private_app_subnets.aws_route_table_association.subnet_association[2]
terraform state mv module.vpc.aws_route_table_association.private_management[0] module.vpc.module.private_management_subnets.aws_route_table_association.subnet_association[0]
terraform state mv module.vpc.aws_route_table_association.private_management[1] module.vpc.module.private_management_subnets.aws_route_table_association.subnet_association[1]
terraform state mv module.vpc.aws_route_table_association.private_management[2] module.vpc.module.private_management_subnets.aws_route_table_association.subnet_association[2]
terraform state mv module.vpc.aws_route_table_association.public_lb_hosts[0] module.vpc.module.public_lb_subnets.aws_route_table_association.subnet_association[0]
terraform state mv module.vpc.aws_route_table_association.public_lb_hosts[1] module.vpc.module.public_lb_subnets.aws_route_table_association.subnet_association[1]
terraform state mv module.vpc.aws_route_table_association.public_lb_hosts[2] module.vpc.module.public_lb_subnets.aws_route_table_association.subnet_association[2]
terraform state mv module.vpc.aws_route_table_association.private_db[0] module.vpc.module.private_db_subnets.aws_route_table_association.subnet_association[0]
terraform state mv module.vpc.aws_route_table_association.private_db[1] module.vpc.module.private_db_subnets.aws_route_table_association.subnet_association[1]
terraform state mv module.vpc.aws_route_table_association.private_db[2] module.vpc.module.private_db_subnets.aws_route_table_association.subnet_association[2]