├── .deepsource.toml ├── .editorconfig ├── .github ├── CODEOWNERS ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── auto_assignee.yml │ ├── automerge.yml │ ├── changelog.yml │ ├── readme.yml │ ├── tf-checks.yml │ ├── tflint.yml │ └── tfsec.yml ├── .gitignore ├── .pre-commit-config.yaml ├── CHANGELOG.md ├── LICENSE ├── Makefile ├── README.md ├── README.yaml ├── docs └── io.md ├── examples ├── basic │ ├── example.tf │ ├── outputs.tf │ └── versions.tf └── complete │ ├── example.tf │ ├── outputs.tf │ └── versions.tf ├── main.tf ├── outputs.tf ├── variables.tf └── versions.tf /.deepsource.toml: -------------------------------------------------------------------------------- 1 | version = 1 2 | 3 | [[analyzers]] 4 | name = "terraform" -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: http://EditorConfig.org 2 | # Uses editorconfig to maintain consistent coding styles 3 | 4 | # top-most EditorConfig file 5 | root = true 6 | 7 | # Unix-style newlines with a newline ending every file 8 | [*] 9 | charset = utf-8 10 | end_of_line = lf 11 | indent_size = 2 12 | indent_style = space 13 | insert_final_newline = true 14 | max_line_length = 80 15 | trim_trailing_whitespace = true 16 | 17 | [*.{tf,tfvars}] 18 | indent_size = 2 19 | indent_style = space 20 | 21 | [*.md] 22 | max_line_length = 0 23 | trim_trailing_whitespace = false 24 | 25 | [Makefile] 26 | tab_width = 2 27 | indent_style = tab 28 | 29 | [COMMIT_EDITMSG] 30 | max_line_length = 0 31 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # These owners will be the default owners for everything in the repo. 2 | * @anmolnagpal @clouddrove/approvers @clouddrove-ci 3 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## what 2 | * Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?) 3 | * Use bullet points to be concise and to the point. 4 | 5 | ## why 6 | * Provide the justifications for the changes (e.g. business case). 7 | * Describe why these changes were made (e.g. why do these commits fix the problem?) 8 | * Use bullet points to be concise and to the point. 9 | 10 | ## references 11 | * Link to any supporting jira issues or helpful documentation to add some context (e.g. stackoverflow). 12 | * Use `closes #123`, if this PR closes a Jira issue `#123` 13 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates 5 | 6 | version: 2 7 | updates: 8 | 9 | - package-ecosystem: "github-actions" 10 | directory: "/" 11 | schedule: 12 | interval: "daily" 13 | open-pull-requests-limit: 3 14 | assignees: 15 | - "clouddrove-ci" 16 | reviewers: 17 | - "approvers" 18 | 19 | - package-ecosystem: "terraform" # See documentation for possible values 20 | directory: "/" # Location of package manifests 21 | schedule: 22 | interval: "weekly" 23 | # Add assignees 24 | assignees: 25 | - "clouddrove-ci" 26 | # Add reviewer 27 | reviewers: 28 | - "approvers" 29 | # Allow up to 3 open pull requests for pip dependencies 30 | open-pull-requests-limit: 3 31 | 32 | - package-ecosystem: "terraform" # See documentation for possible values 33 | directory: "/_example/basic" # Location of package manifests 34 | schedule: 35 | interval: "weekly" 36 | # Add assignees 37 | assignees: 38 | - "clouddrove-ci" 39 | # Add reviewer 40 | reviewers: 41 | - "approvers" 42 | # Allow up to 3 open pull requests for pip dependencies 43 | open-pull-requests-limit: 3 44 | 45 | - package-ecosystem: "terraform" # See documentation for possible values 46 | directory: "/_example/complete" # Location of package manifests 47 | schedule: 48 | interval: "weekly" 49 | # Add assignees 50 | assignees: 51 | - "clouddrove-ci" 52 | # Add reviewer 53 | reviewers: 54 | - "approvers" 55 | # Allow up to 3 open pull requests for pip dependencies 56 | open-pull-requests-limit: 3 57 | -------------------------------------------------------------------------------- /.github/workflows/auto_assignee.yml: -------------------------------------------------------------------------------- 1 | name: Auto Assign PRs 2 | 3 | on: 4 | pull_request: 5 | types: [opened, reopened] 6 | 7 | workflow_dispatch: 8 | jobs: 9 | assignee: 10 | uses: clouddrove/github-shared-workflows/.github/workflows/auto_assignee.yml@master 11 | secrets: 12 | GITHUB: ${{ secrets.GITHUB }} 13 | with: 14 | assignees: 'clouddrove-ci' 15 | -------------------------------------------------------------------------------- /.github/workflows/automerge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Auto merge 3 | on: 4 | pull_request: 5 | jobs: 6 | auto-merge: 7 | uses: clouddrove/github-shared-workflows/.github/workflows/auto_merge.yml@master 8 | secrets: 9 | GITHUB: ${{ secrets.GITHUB }} 10 | with: 11 | tfcheck: 'basic / Check code format' 12 | ... 13 | -------------------------------------------------------------------------------- /.github/workflows/changelog.yml: -------------------------------------------------------------------------------- 1 | name: changelog 2 | permissions: write-all 3 | on: 4 | push: 5 | tags: 6 | - "*" 7 | workflow_dispatch: 8 | jobs: 9 | changelog: 10 | uses: clouddrove/github-shared-workflows/.github/workflows/changelog.yml@master 11 | secrets: inherit 12 | with: 13 | branch: 'master' 14 | -------------------------------------------------------------------------------- /.github/workflows/readme.yml: -------------------------------------------------------------------------------- 1 | name: readme workflow 2 | on: 3 | push: 4 | branches: 5 | - master 6 | paths-ignore: 7 | - 'README.md' 8 | workflow_dispatch: 9 | jobs: 10 | assignee: 11 | uses: clouddrove/github-shared-workflows/.github/workflows/readme.yml@master 12 | secrets: 13 | TOKEN : ${{ secrets.GITHUB }} 14 | SLACK_WEBHOOK_TERRAFORM: ${{ secrets.SLACK_WEBHOOK_TERRAFORM }} 15 | -------------------------------------------------------------------------------- /.github/workflows/tf-checks.yml: -------------------------------------------------------------------------------- 1 | name: tf-checks 2 | on: 3 | push: 4 | branches: [ master ] 5 | pull_request: 6 | workflow_dispatch: 7 | jobs: 8 | basic: 9 | uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master 10 | with: 11 | working_directory: './examples/basic/' 12 | complete: 13 | uses: clouddrove/github-shared-workflows/.github/workflows/tf-checks.yml@master 14 | with: 15 | working_directory: './examples/complete/' 16 | -------------------------------------------------------------------------------- /.github/workflows/tflint.yml: -------------------------------------------------------------------------------- 1 | name: tf-lint 2 | on: 3 | push: 4 | branches: [ master ] 5 | pull_request: 6 | workflow_dispatch: 7 | jobs: 8 | tf-lint: 9 | uses: clouddrove/github-shared-workflows/.github/workflows/tf-lint.yml@master 10 | secrets: 11 | GITHUB: ${{ secrets.GITHUB }} 12 | -------------------------------------------------------------------------------- /.github/workflows/tfsec.yml: -------------------------------------------------------------------------------- 1 | name: tfsec 2 | permissions: write-all 3 | on: 4 | pull_request: 5 | workflow_dispatch: 6 | jobs: 7 | tfsec: 8 | uses: clouddrove/github-shared-workflows/.github/workflows/tfsec.yml@master 9 | secrets: inherit 10 | with: 11 | working_directory: '.' 12 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ignored files 2 | *~ 3 | 4 | # temporary files which can be created if a process still has a handle open of a deleted file 5 | .fuse_hidden* 6 | 7 | # KDE directory preferences 8 | .directory 9 | 10 | # Linux trash folder which might appear on any partition or disk 11 | .Trash-* 12 | 13 | # .nfs files are created when an open file is removed but is still being accessed 14 | .nfs* 15 | ### Eclipse template 16 | 17 | .metadata 18 | bin/ 19 | tmp/ 20 | *.tmp 21 | *.bak 22 | *.swp 23 | *~.nib 24 | local.properties 25 | .settings/ 26 | .loadpath 27 | .recommenders 28 | 29 | # External tool builders 30 | .externalToolBuilders/ 31 | 32 | # Locally stored "Eclipse launch configurations" 33 | *.launch 34 | 35 | # PyDev specific (Python IDE for Eclipse) 36 | *.pydevproject 37 | 38 | # CDT-specific (C/C++ Development Tooling) 39 | .cproject 40 | 41 | # Java annotation processor (APT) 42 | .factorypath 43 | 44 | # PDT-specific (PHP Development Tools) 45 | .buildpath 46 | 47 | # sbteclipse plugin 48 | .target 49 | 50 | # Tern plugin 51 | .tern-project 52 | 53 | # TeXlipse plugin 54 | .texlipse 55 | 56 | # STS (Spring Tool Suite) 57 | .springBeans 58 | 59 | # Code Recommenders 60 | .recommenders/ 61 | 62 | # Scala IDE specific (Scala & Java development for Eclipse) 63 | .cache-main 64 | .scala_dependencies 65 | .worksheet 66 | ### Windows template 67 | # Windows thumbnail cache files 68 | Thumbs.db 69 | ehthumbs.db 70 | ehthumbs_vista.db 71 | 72 | # Dump file 73 | *.stackdump 74 | 75 | # Folder config file 76 | [Dd]esktop.ini 77 | 78 | # Recycle Bin used on file shares 79 | $RECYCLE.BIN/ 80 | 81 | # Windows Installer files 82 | *.cab 83 | *.msi 84 | *.msm 85 | *.msp 86 | 87 | # Windows shortcuts 88 | *.lnk 89 | ### Ansible template 90 | *.retry 91 | ### macOS template 92 | # General 93 | .DS_Store 94 | .AppleDouble 95 | .LSOverride 96 | 97 | # Icon must end with two \r 98 | Icon 99 | 100 | # Thumbnails 101 | ._* 102 | 103 | # Files that might appear in the root of a volume 104 | .DocumentRevisions-V100 105 | .fseventsd 106 | .Spotlight-V100 107 | .TemporaryItems 108 | .Trashes 109 | .VolumeIcon.icns 110 | .com.apple.timemachine.donotpresent 111 | 112 | # Directories potentially created on remote AFP share 113 | .AppleDB 114 | .AppleDesktop 115 | Network Trash Folder 116 | Temporary Items 117 | .apdisk 118 | ### Archives template 119 | # It's better to unpack these files and commit the raw source because 120 | # git has its own built in compression methods. 121 | *.7z 122 | *.jar 123 | *.rar 124 | *.zip 125 | *.gz 126 | *.tgz 127 | *.bzip 128 | *.bz2 129 | *.xz 130 | *.lzma 131 | *.cab 132 | 133 | # Packing-only formats 134 | *.iso 135 | *.tar 136 | 137 | # Package management formats 138 | *.dmg 139 | *.xpi 140 | *.gem 141 | *.egg 142 | *.deb 143 | *.rpm 144 | *.msi 145 | *.msm 146 | *.msp 147 | ### JetBrains template 148 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm 149 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 150 | 151 | /.idea/ 152 | # User-specific stuff: 153 | .idea/**/workspace.xml 154 | .idea/**/tasks.xml 155 | .idea/dictionaries 156 | 157 | # Sensitive or high-churn files: 158 | .idea/**/dataSources/ 159 | .idea/**/dataSources.ids 160 | .idea/**/dataSources.xml 161 | .idea/**/dataSources.local.xml 162 | .idea/**/sqlDataSources.xml 163 | .idea/**/dynamic.xml 164 | .idea/**/uiDesigner.xml 165 | 166 | # Gradle: 167 | .idea/**/gradle.xml 168 | .idea/**/libraries 169 | 170 | # CMake 171 | cmake-build-debug/ 172 | 173 | # Mongo Explorer plugin: 174 | .idea/**/mongoSettings.xml 175 | 176 | ## File-based project format: 177 | *.iws 178 | 179 | ## Plugin-specific files: 180 | 181 | # IntelliJ 182 | out/ 183 | 184 | # mpeltonen/sbt-idea plugin 185 | .idea_modules/ 186 | # User-specific stuff: 187 | .idea/* 188 | # JIRA plugin 189 | atlassian-ide-plugin.xml 190 | 191 | # Cursive Clojure plugin 192 | .idea/replstate.xml 193 | 194 | # TFstste 195 | *.tfstate* 196 | 197 | deployment/_logs/ansible-log.json 198 | deployment/_logs/ansible-log.log 199 | deployment/_logs/facts/* 200 | deployment/_logs/retry/* 201 | _app/* 202 | ansible-log.json 203 | .terraform 204 | terraform.tfstate 205 | 206 | *.tfstate 207 | *.tfstate.backup 208 | *.iml 209 | *.terraform.lock.hcl 210 | *.lock.hcl 211 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | 3 | - repo: https://github.com/gruntwork-io/pre-commit 4 | rev: v0.1.12 # Get the latest from: https://github.com/gruntwork-io/pre-commit/releases 5 | hooks: 6 | - id: terraform-fmt 7 | - id: shellcheck 8 | - id: tflint 9 | 10 | - repo: git://github.com/pre-commit/pre-commit-hooks 11 | rev: v4.0.1 # Use the ref you want to point at 12 | hooks: 13 | - id: end-of-file-fixer 14 | - id: trailing-whitespace 15 | - id: mixed-line-ending 16 | - id: check-byte-order-marker 17 | - id: check-executables-have-shebangs 18 | - id: check-merge-conflict 19 | - id: debug-statements 20 | - id: check-yaml 21 | - id: check-added-large-files 22 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | All notable changes to this project will be documented in this file. 3 | 4 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), 5 | and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). 6 | 7 | ## [2.0.0] - 2023-07-26 8 | ### :sparkles: New Features 9 | - [`02502c0`](https://github.com/clouddrove/terraform-aws-vpc/commit/02502c0e86dfb8a7fd1366462aed27e796c3acf0) - update workfflows and readme.yaml *(PR [#53](https://github.com/clouddrove/terraform-aws-vpc/pull/53) by [@theprashantyadav](https://github.com/theprashantyadav))* 10 | - [`16ad441`](https://github.com/clouddrove/terraform-aws-vpc/commit/16ad4418a97cb8fc83144cb7f9dbdd51eb779e34) - Updated resources to be dynamic and added support for flow logs to be published in cloudwatch *(commit by [@13archit](https://github.com/13archit))* 11 | - [`25f99bd`](https://github.com/clouddrove/terraform-aws-vpc/commit/25f99bd53cc6c051b785636572e5add5f7097d01) - Added cloudwatch resource *(commit by [@13archit](https://github.com/13archit))* 12 | - [`95a1a68`](https://github.com/clouddrove/terraform-aws-vpc/commit/95a1a68e3020612551124370fa1daa67bb433131) - Added test example and modified main.tf *(commit by [@13archit](https://github.com/13archit))* 13 | 14 | ### :bug: Bug Fixes 15 | - [`309542d`](https://github.com/clouddrove/terraform-aws-vpc/commit/309542de7735f506d4dccd1246f550e76f384a9c) - Fixed kms key policy and updated example folder *(commit by [@13archit](https://github.com/13archit))* 16 | - [`a0ac339`](https://github.com/clouddrove/terraform-aws-vpc/commit/a0ac3394317c253c34e86ba9e609bddb6a1f4f85) - Fixed vulnerabilities *(commit by [@13archit](https://github.com/13archit))* 17 | - [`9537489`](https://github.com/clouddrove/terraform-aws-vpc/commit/953748945e248044656093e1a23a6b942fbb7396) - Updated comments and example folder heirarchy *(commit by [@13archit](https://github.com/13archit))* 18 | - [`6bb0fb9`](https://github.com/clouddrove/terraform-aws-vpc/commit/6bb0fb9e1ace6efc68c7ba9bfbc07c8a07728eae) - Fixed directory in workflows *(commit by [@13archit](https://github.com/13archit))* 19 | - [`b59d760`](https://github.com/clouddrove/terraform-aws-vpc/commit/b59d7606d93713fafeb9dfe194c7110351787183) - Fixed _example/complete and dependabot.yml *(commit by [@13archit](https://github.com/13archit))* 20 | - [`8e70e44`](https://github.com/clouddrove/terraform-aws-vpc/commit/8e70e44c180d62937d158c9750279fec18f965c2) - Added ignore for vpc flow log error because it enabled via separate resource *(commit by [@13archit](https://github.com/13archit))* 21 | - [`b07fc3c`](https://github.com/clouddrove/terraform-aws-vpc/commit/b07fc3ce14059898ab2336f6f87c522c8873b074) - updated github actions *(commit by [@mamrajyadav](https://github.com/mamrajyadav))* 22 | 23 | ### :memo: Documentation Changes 24 | - [`baa9f10`](https://github.com/clouddrove/terraform-aws-vpc/commit/baa9f1089b3d2ccacf9339104762e32d274fc3b3) - update CHANGELOG.md for 1.3.1 *(commit by [@clouddrove-ci](https://github.com/clouddrove-ci))* 25 | 26 | 27 | ## [1.3.1] - 2023-05-31 28 | ### :sparkles: New Features 29 | - [`6f2735f`](https://github.com/clouddrove/terraform-aws-vpc/commit/6f2735fa5657122dd4c6e61375d38073ba6f4ceb) - updated tfsec.yml file *(commit by [@vibhutigoyal](https://github.com/vibhutigoyal))* 30 | - [`fcf15d1`](https://github.com/clouddrove/terraform-aws-vpc/commit/fcf15d1e75c6b7f44ba5a8d2742586b21c293375) - updated changelog.yml name *(commit by [@vibhutigoyal](https://github.com/vibhutigoyal))* 31 | - [`6793df2`](https://github.com/clouddrove/terraform-aws-vpc/commit/6793df265367191319be1c3b2946f8c11d823510) - updated changelog.yml name and file *(commit by [@vibhutigoyal](https://github.com/vibhutigoyal))* 32 | - [`0df9c4d`](https://github.com/clouddrove/terraform-aws-vpc/commit/0df9c4d9c34598f500340ea99f509ce4c83b4a49) - add deepsource & added assignees,reviewer in dependabot *(commit by [@Tanveer143s](https://github.com/Tanveer143s))* 33 | 34 | 35 | ## [v1.3.0] - 2022-12-28 36 | ### :bug: Bug Fixes 37 | - [`da3fdc9`](https://github.com/clouddrove/terraform-aws-vpc/commit/da3fdc9fbcde60c8f07cf3235ddb0b1f73842a0c) - Updated terraform versions. 38 | - [`7c0caf6`](https://github.com/clouddrove/terraform-aws-vpc/commit/7c0caf63f0f61b1e80632e89cedbf6e1d6097362) - fix lables tag. 39 | - [`18ca74f`](https://github.com/clouddrove/terraform-aws-vpc/commit/18ca74f3b0d938b776f865a12b882f62edba5f09) -update workflows 40 | 41 | 42 | ## [v0.15.1] - 2022-05-3 43 | ### :bug: Bug Fixes 44 | - [`18ca74f`](https://github.com/clouddrove/terraform-aws-vpc/commit/18ca74f3b0d938b776f865a12b882f62edba5f09) - Updated README.md 45 | 46 | 47 | ## [v0.15.0] - 2021-07-9 48 | ### :sparkles: New Features 49 | - [`e674ac1`](https://github.com/clouddrove/terraform-aws-vpc/commit/e674ac11ea5342e2b4adb38bd962e2712d8a411d) - added ipv4 ipam pool feature 50 | 51 | ### :bug: Bug Fixes 52 | - [`6cd4741`](https://github.com/clouddrove/terraform-aws-vpc/commit/6cd47412dab4d85edac36299760ee646d70e64ab) - update github action version 53 | 54 | 55 | ## [v0.14.0] - 2021-05-10 56 | ### :sparkles: New Features 57 | - [`58693eb`](https://github.com/clouddrove/terraform-aws-vpc/commit/58693eb3bb1232481489abdac86d9ba4550e62fa) - restricts the default security 58 | 59 | ### :bug: Bug Fixes 60 | - [`167ad38`](https://github.com/clouddrove/terraform-aws-vpc/commit/167ad38200cb8bdbef0915eb42c3d49637d352c9) - fix terratest 61 | - [`904a689`](https://github.com/clouddrove/terraform-aws-vpc/commit/904a689009ad57a6c387b5d64e9d62a6b844fd01) - update lables variable 62 | - [`673b395`](https://github.com/clouddrove/terraform-aws-vpc/commit/673b395b0fd32f52ddf863e70606d666179a1c41) - fix github action 63 | - [`abe6771`](https://github.com/clouddrove/terraform-aws-vpc/commit/abe6771dc9a7b0f5240410de909723f17e8af317) - upgrade module to terraform 0.14 64 | 65 | 66 | ## [v0.13.0] - 2020-10-21 67 | ### :bug: Bug Fixes 68 | - [`f53a689`](https://github.com/clouddrove/terraform-aws-vpc/commit/f53a689d8e20141a9dc990ced179bac4ae4bf278) - change tag name in main.tf 69 | 70 | 71 | ## [v0.12.5] - 2020-03-30 72 | ### :bug: Bug Fixes 73 | - [`4448833`](https://github.com/clouddrove/terraform-aws-vpc/commit/44488334cf3b066e938e00eb54e5785614751e9d) - update terratest pipeline 74 | - [`b0de455`](https://github.com/clouddrove/terraform-aws-vpc/commit/b0de45544932e1029e2e69c3db6f0a5baac589a1) - add pre-commit 75 | 76 | 77 | ## [v0.12.4] - 2019-12-27 78 | ### :bug: Bug Fixes 79 | - [`f0a4833`](https://github.com/clouddrove/terraform-aws-vpc/commit/f0a483382fbe78c420f05b88b5dcefb7399060b2) - update github action 80 | 81 | 82 | ## [v0.12.3] - 2019-09-24 83 | ### :bug: Bug Fixes 84 | - [`3381ea4`](https://github.com/clouddrove/terraform-aws-vpc/commit/3381ea41a43776e49f4abd3f86634afc408d93cd) - fix the igw tag 85 | 86 | 87 | ## [v0.12.2] - 2019-09-14 88 | ### :bug: Bug Fixes 89 | - [`fad5b32`](https://github.com/clouddrove/terraform-aws-vpc/commit/fad5b325d7aa929c8e07a4a414697c1f753bdcd8) - change output syntax 90 | 91 | 92 | ## [v0.12.1] - 2019-09-05 93 | ### :bug: Bug Fixes 94 | - [`5c9fc8e`](https://github.com/clouddrove/terraform-aws-vpc/commit/5c9fc8e74bf9b6b96a1bead95a18d9bb77fa257d) - fix the tags for eks 95 | 96 | 97 | ## [v0.12.0] - 2019-08-12 98 | ### :bug: Bug Fixes 99 | - [`7cb99d0`](https://github.com/clouddrove/terraform-aws-vpc/commit/7cb99d03bdbb9f608afee9a729bb083d0eb6c3b2) - update url 100 | 101 | 102 | ## [v0.11.0] - 2019-08-12 103 | ### :bug: Bug Fixes 104 | - [`c10254f`](https://github.com/clouddrove/terraform-aws-vpc/commit/c10254fb4700118ff31244ab49470bf0a985a6a7) - terraform 0.12.0 105 | 106 | 107 | [v0.11.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.11.0...master 108 | [v0.12.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.11.0...0.12.0 109 | [v0.12.1]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.0...0.12.1 110 | [v0.12.2]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.1...0.12.2 111 | [v0.12.3]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.2...0.12.3 112 | [v0.12.4]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.3...0.12.4 113 | [v0.12.5]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.4...0.12.5 114 | [v0.13.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.12.5...0.13.0 115 | [v0.14.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.13.0...0.14.0 116 | [v0.15.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.14.0...0.15.0 117 | [v0.15.1]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.15.0...0.15.1 118 | [v1.3.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/0.15.1...1.3.0 119 | [1.3.1]: https://github.com/clouddrove/terraform-aws-vpc/compare/1.3.0...1.3.1 120 | [2.0.0]: https://github.com/clouddrove/terraform-aws-vpc/compare/1.3.1...2.0.0 -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2021 CloudDrove Inc. 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | export GENIE_PATH ?= $(shell 'pwd')/../../../genie 2 | include $(GENIE_PATH)/Makefile 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | [![Banner](https://github.com/clouddrove/terraform-module-template/assets/119565952/67a8a1af-2eb7-40b7-ae07-c94cde9ce062)][website] 3 |

4 | Terraform AWS VPC 5 |

6 | 7 |

8 | With our comprehensive DevOps toolkit - streamline operations, automate workflows, enhance collaboration and, most importantly, deploy with confidence. 9 |

10 | 11 | 12 |

13 | 14 | 15 | Latest Release 16 | 17 | 18 | tfsec 19 | 20 | 21 | Licence 22 | 23 | 24 | Changelog 25 | 26 | 27 | 28 |

29 |

30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 |

45 |
46 | 47 | 48 | We are a group of DevOps engineers & architects, joining hands in this ever evolving digital landscape. With our strong belief in Automation; just like microservices, always on the lookout to split the the infrastructure into smaller connected resources (database, cluster and more) which could be standardized, are manageable, scalable, secure & follow industry best practices. 49 | 50 | 51 | This module includes Terraform open source, examples, and automation tests (for better understanding), which would help you create and improve your infrastructure with minimalistic coding. 52 | 53 | 54 | 55 | 56 | ## Prerequisites and Providers 57 | 58 | This table contains both Prerequisites and Providers: 59 | 60 | | Description | Name | Version | 61 | |:-------------:|:-------------------------------------------:|:---------:| 62 | | **Prerequisite** | [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) | >= 1.6.6 | 63 | | **Provider** | [aws](https://aws.amazon.com/) | >= 5.31.0 | 64 | 65 | 66 | 67 | 68 | 69 | ## Examples 70 | 71 | **IMPORTANT:** Since the master branch used in source varies based on new modifications, we recommend using the [release versions](https://github.com/clouddrove/terraform-aws-vpc/releases). 72 | 73 | 📌 For additional usage examples, check the complete list under [`examples/`](./examples) directory. 74 | 75 | 76 | 77 | ## Inputs and Outputs 78 | 79 | Refer to complete documentation: [here](docs/io.md) 80 | 81 | 82 | 93 | 94 | 95 | ## Module Dependencies 96 | 97 | This module has dependencies on: 98 | - [Labels Module](https://github.com/clouddrove/terraform-aws-labels): Provides resource tagging. 99 | 100 | 101 | ## 📑 Changelog 102 | 103 | Refer [here](CHANGELOG.md). 104 | 105 | 106 | 107 | 108 | ## ✨ Contributors 109 | 110 | Big thanks to our contributors for elevating our project with their dedication and expertise! But, we do not wish to stop there, would like to invite contributions from the community in improving these projects and making them more versatile for better reach. Remember, every bit of contribution is immensely valuable, as, together, we are moving in only 1 direction, i.e. forward. 111 | 112 | 113 | 114 | 115 |
116 |
117 | 118 | If you're considering contributing to our project, here are a few quick guidelines that we have been following (Got a suggestion? We are all ears!): 119 | 120 | - **Fork the Repository:** Create a new branch for your feature or bug fix. 121 | - **Coding Standards:** You know the drill. 122 | - **Clear Commit Messages:** Write clear and concise commit messages to facilitate understanding. 123 | - **Thorough Testing:** Test your changes thoroughly before submitting a pull request. 124 | - **Documentation Updates:** Include relevant documentation updates if your changes impact it. 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | ## Feedback 139 | Spot a bug or have thoughts to share with us? Let's squash it together! Log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-vpc/issues), feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 140 | 141 | Show some love with a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-vpc)! if our work has brightened your day! – your feedback fuels our journey! 142 | 143 | 144 | ## :rocket: Our Accomplishment 145 | 146 | We have [*100+ Terraform modules*][terraform_modules] 🙌. You could consider them finished, but, with enthusiasts like yourself, we are able to ever improve them, so we call our status - improvement in progress. 147 | 148 | - [Terraform Module Registry:](https://registry.terraform.io/namespaces/clouddrove) Discover our Terraform modules here. 149 | 150 | - [Terraform Modules for AWS/Azure Modules:](https://github.com/clouddrove/toc) Explore our comprehensive Table of Contents for easy navigation through our documentation for modules pertaining to AWS, Azure & GCP. 151 | 152 | - [Terraform Modules for Digital Ocean:](https://github.com/terraform-do-modules/toc) Check out our specialized Terraform modules for Digital Ocean. 153 | 154 | 155 | 156 | 157 | ## Join Our Slack Community 158 | 159 | Join our vibrant open-source slack community and embark on an ever-evolving journey with CloudDrove; helping you in moving upwards in your career path. 160 | Join our vibrant Open Source Slack Community and embark on a learning journey with CloudDrove. Grow with us in the world of DevOps and set your career on a path of consistency. 161 | 162 | 🌐💬What you'll get after joining this Slack community: 163 | 164 | - 🚀 Encouragement to upgrade your best version. 165 | - 🌈 Learning companionship with our DevOps squad. 166 | - 🌱 Relentless growth with daily updates on new advancements in technologies. 167 | 168 | Join our tech elites [Join Now][slack] 🚀 169 | 170 | 171 | ## Explore Our Blogs 172 | 173 | Click [here][blog] :books: :star2: 174 | 175 | ## Tap into our capabilities 176 | We provide a platform for organizations to engage with experienced top-tier DevOps & Cloud services. Tap into our pool of certified engineers and architects to elevate your DevOps and Cloud Solutions. 177 | 178 | At [CloudDrove][website], has extensive experience in designing, building & migrating environments, securing, consulting, monitoring, optimizing, automating, and maintaining complex and large modern systems. With remarkable client footprints in American & European corridors, our certified architects & engineers are ready to serve you as per your requirements & schedule. Write to us at [business@clouddrove.com](mailto:business@clouddrove.com). 179 | 180 |

We are The Cloud Experts!

181 |
182 |

We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.

183 | 184 | [website]: https://clouddrove.com 185 | [blog]: https://blog.clouddrove.com 186 | [slack]: https://www.launchpass.com/devops-talks 187 | [github]: https://github.com/clouddrove 188 | [linkedin]: https://cpco.io/linkedin 189 | [twitter]: https://twitter.com/clouddrove/ 190 | [email]: https://clouddrove.com/contact-us.html 191 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 192 | -------------------------------------------------------------------------------- /README.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # This is the canonical configuration for the `README.md` 4 | # Run `make readme` to rebuild the `README.md` 5 | 6 | # Name of this project 7 | name: Terraform AWS VPC 8 | 9 | # License of this project 10 | license: "APACHE" 11 | 12 | # Canonical GitHub repo 13 | github_repo: clouddrove/terraform-aws-vpc 14 | 15 | # Badges to display 16 | badges: 17 | - name: "Latest Release" 18 | image: "https://img.shields.io/github/release/clouddrove/terraform-aws-vpc.svg" 19 | url: "https://github.com/clouddrove/terraform-aws-vpc/releases/latest" 20 | - name: "tfsec" 21 | image: "https://github.com/clouddrove/terraform-aws-vpc/actions/workflows/tfsec.yml/badge.svg" 22 | url: "https://github.com/clouddrove/terraform-aws-vpc/actions/workflows/tfsec.yml" 23 | - name: "Licence" 24 | image: "https://img.shields.io/badge/License-APACHE-blue.svg" 25 | url: "LICENSE.md" 26 | - name: "Changelog" 27 | image: "https://img.shields.io/badge/Changelog-blue" 28 | url: "CHANGELOG.md" 29 | 30 | prerequesties: 31 | - name: Terraform 32 | url: https://learn.hashicorp.com/terraform/getting-started/install.html 33 | version: ">= 1.6.6" 34 | 35 | providers: 36 | - name: aws 37 | url: https://aws.amazon.com/ 38 | version: ">= 5.31.0" 39 | 40 | module_dependencies: 41 | - name: Labels Module 42 | url: https://github.com/clouddrove/terraform-aws-labels 43 | description: Provides resource tagging. 44 | 45 | # description of this project 46 | description: |- 47 | Terraform module vpc to create new modules using this as baseline 48 | 49 | # How to use this project 50 | usage: |- 51 | Here are some examples of how you can use this module in your inventory structure: 52 | 53 | ### vpc basic example 54 | ```hcl 55 | module "vpc" { 56 | source = "clouddrove/vpc/aws" 57 | version = "2.0.0" 58 | name = "vpc" 59 | environment = "example" 60 | cidr_block = "10.0.0.0/16" 61 | enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default. 62 | create_flow_log_cloudwatch_iam_role = true 63 | additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] 64 | dhcp_options_domain_name = "service.consul" 65 | dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] 66 | } 67 | ``` 68 | 69 | ### vpc complete example 70 | ```hcl 71 | module "vpc" { 72 | source = "clouddrove/vpc/aws" 73 | version = "2.0.0" 74 | name = "vpc" 75 | environment = "example" 76 | cidr_block = "10.0.0.0/16" 77 | enable_flow_log = true 78 | flow_log_destination_type = "s3" 79 | flow_logs_bucket_name = "gc-vpc-flow-logs-bucket" 80 | additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] 81 | dhcp_options_domain_name = "service.consul" 82 | dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] 83 | } 84 | ``` 85 | -------------------------------------------------------------------------------- /docs/io.md: -------------------------------------------------------------------------------- 1 | ## Inputs 2 | 3 | | Name | Description | Type | Default | Required | 4 | |------|-------------|------|---------|:--------:| 5 | | additional\_cidr\_block | List of secondary CIDR blocks of the VPC. | `list(string)` | `[]` | no | 6 | | assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Conflicts with ipv6\_ipam\_pool\_id | `bool` | `true` | no | 7 | | aws\_default\_network\_acl | A boolean flag to enable/disable Default Network acl in the VPC. | `bool` | `true` | no | 8 | | aws\_default\_route\_table | A boolean flag to enable/disable Default Route Table in the VPC. | `bool` | `true` | no | 9 | | block\_http\_traffic | True when http traffic has to be blocked for S3. | `bool` | `true` | no | 10 | | cidr\_block | CIDR for the VPC. | `string` | `""` | no | 11 | | create\_flow\_log\_cloudwatch\_iam\_role | Flag to be set true when cloudwatch iam role is to be created when flow log destination type is set to cloudwatch logs. | `bool` | `false` | no | 12 | | default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | 
[
  {
    "action": "allow",
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_no": 100,
    "to_port": 0
  },
  {
    "action": "allow",
    "from_port": 0,
    "ipv6_cidr_block": "::/0",
    "protocol": "-1",
    "rule_no": 101,
    "to_port": 0
  }
]
| no | 13 | | default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | 
[
  {
    "action": "allow",
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_no": 100,
    "to_port": 0
  },
  {
    "action": "allow",
    "from_port": 0,
    "ipv6_cidr_block": "::/0",
    "protocol": "-1",
    "rule_no": 101,
    "to_port": 0
  }
]
| no | 14 | | default\_route\_table\_routes | Configuration block of routes. | `list(map(string))` | `[]` | no | 15 | | default\_security\_group\_egress | List of maps of egress rules to set on the default security group | `list(map(string))` | `[]` | no | 16 | | default\_security\_group\_ingress | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no | 17 | | dhcp\_options\_domain\_name | Specifies DNS name for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `"service.consul"` | no | 18 | | dhcp\_options\_domain\_name\_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable\_dhcp\_options set to true) | `list(string)` | 
[
  "AmazonProvidedDNS"
]
| no | 19 | | dhcp\_options\_netbios\_name\_servers | Specify a list of netbios servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no | 20 | | dhcp\_options\_netbios\_node\_type | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no | 21 | | dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no | 22 | | dns\_hostnames\_enabled | A boolean flag to enable/disable DNS hostnames in the VPC. | `bool` | `true` | no | 23 | | dns\_support\_enabled | A boolean flag to enable/disable DNS support in the VPC. | `bool` | `true` | no | 24 | | enable | Flag to control the vpc creation. | `bool` | `true` | no | 25 | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no | 26 | | enable\_flow\_log | Enable vpc\_flow\_log logs. | `bool` | `false` | no | 27 | | enable\_key\_rotation | Specifies whether key rotation is enabled. Defaults to true(security best practice) | `bool` | `true` | no | 28 | | enable\_network\_address\_usage\_metrics | Determines whether network address usage metrics are enabled for the VPC | `bool` | `null` | no | 29 | | enabled\_ipv6\_egress\_only\_internet\_gateway | A boolean flag to enable/disable IPv6 Egress-Only Internet Gateway creation | `bool` | `true` | no | 30 | | environment | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | 31 | | flow\_log\_cloudwatch\_log\_group\_retention\_in\_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no | 32 | | flow\_log\_destination\_arn | ARN of destination where vpc flow logs are to stored. Can be of existing s3 or existing cloudwatch log group. | `string` | `null` | no | 33 | | flow\_log\_destination\_type | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | 34 | | flow\_log\_file\_format | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no | 35 | | flow\_log\_hive\_compatible\_partitions | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no | 36 | | flow\_log\_iam\_role\_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `null` | no | 37 | | flow\_log\_log\_format | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no | 38 | | flow\_log\_max\_aggregation\_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds | `number` | `600` | no | 39 | | flow\_log\_per\_hour\_partition | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | `bool` | `false` | no | 40 | | flow\_log\_traffic\_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no | 41 | | flow\_logs\_bucket\_name | Name (e.g. `mybucket` or `bucket101`). | `string` | `null` | no | 42 | | instance\_tenancy | A tenancy option for instances launched into the VPC. | `string` | `"default"` | no | 43 | | ipam\_pool\_enable | Flag to be set true when using ipam for cidr. | `bool` | `false` | no | 44 | | ipv4\_ipam\_pool\_id | The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `""` | no | 45 | | ipv4\_netmask\_length | The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id | `string` | `null` | no | 46 | | ipv6\_cidr\_block | IPv6 CIDR for the VPC. | `string` | `null` | no | 47 | | ipv6\_cidr\_block\_network\_border\_group | Set this to restrict advertisement of public addresses to a specific Network Border Group such as a LocalZone. | `string` | `null` | no | 48 | | ipv6\_ipam\_pool\_id | The ID of an IPv6 IPAM pool you want to use for allocating this VPC's CIDR. | `string` | `null` | no | 49 | | ipv6\_netmask\_length | The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv6\_ipam\_pool\_id | `string` | `null` | no | 50 | | kms\_key\_deletion\_window | KMS Key deletion window in days. | `number` | `10` | no | 51 | | label\_order | Label order, e.g. `name`,`application`. | `list(any)` | 
[
  "name",
  "environment"
]
| no | 52 | | managedby | ManagedBy, eg 'CloudDrove' | `string` | `"hello@clouddrove.com"` | no | 53 | | name | Name (e.g. `app` or `cluster`). | `string` | `""` | no | 54 | | repository | Terraform current module repo | `string` | `"https://github.com/clouddrove/terraform-aws-vpc"` | no | 55 | | restrict\_default\_sg | Flag to control the restrict default sg creation. | `bool` | `true` | no | 56 | | s3\_sse\_algorithm | Server-side encryption algorithm to use. Valid values are AES256 and aws:kms | `string` | `"aws:kms"` | no | 57 | | vpc\_flow\_log\_permissions\_boundary | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no | 58 | 59 | ## Outputs 60 | 61 | | Name | Description | 62 | |------|-------------| 63 | | arn | Amazon Resource Name (ARN) of VPC | 64 | | igw\_id | The ID of the Internet Gateway. | 65 | | ipv6\_cidr\_block | The IPv6 CIDR block. | 66 | | ipv6\_cidr\_block\_network\_border\_group | The IPv6 Network Border Group Zone name | 67 | | ipv6\_egress\_only\_igw\_id | The ID of the egress-only Internet Gateway | 68 | | tags | A mapping of tags to assign to the resource. | 69 | | vpc\_arn | The ARN of the VPC | 70 | | vpc\_cidr\_block | The CIDR block of the VPC. | 71 | | vpc\_default\_network\_acl\_id | The ID of the network ACL created by default on VPC creation. | 72 | | vpc\_default\_route\_table\_id | The ID of the route table created by default on VPC creation. | 73 | | vpc\_default\_security\_group\_id | The ID of the security group created by default on VPC creation. | 74 | | vpc\_id | The ID of the VPC. | 75 | | vpc\_ipv6\_association\_id | The association ID for the IPv6 CIDR block. | 76 | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC. | 77 | 78 | -------------------------------------------------------------------------------- /examples/basic/example.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-1" 3 | } 4 | 5 | locals { 6 | name = "vpc" 7 | environment = "example" 8 | } 9 | ##----------------------------------------------------------------------------- 10 | ## VPC Module Call. 11 | ##----------------------------------------------------------------------------- 12 | module "vpc" { 13 | source = "../.." 14 | 15 | name = local.name 16 | environment = local.environment 17 | enable = true 18 | cidr_block = "10.0.0.0/16" 19 | enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default. 20 | create_flow_log_cloudwatch_iam_role = true 21 | additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] 22 | dhcp_options_domain_name = "service.consul" 23 | dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] 24 | } 25 | -------------------------------------------------------------------------------- /examples/basic/outputs.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | value = module.vpc[*].vpc_id 3 | description = "The ID of the VPC." 4 | } 5 | 6 | output "tags" { 7 | value = module.vpc[*].tags 8 | description = "A mapping of tags to assign to the resource." 9 | } 10 | 11 | output "vpc_cidr" { 12 | value = module.vpc[*].vpc_cidr_block 13 | description = "The primary IPv4 CIDR block" 14 | } 15 | 16 | output "vpc_ipv6_cidr_block" { 17 | value = module.vpc[*].ipv6_cidr_block 18 | description = "The primary IPv6 CIDR block" 19 | } 20 | 21 | output "vpc_ipv6_association_id" { 22 | value = module.vpc[*].vpc_ipv6_association_id 23 | description = "The association ID for the primary IPv6 CIDR block" 24 | } 25 | 26 | output "ipv6_cidr_block_network_border_group" { 27 | value = module.vpc[*].ipv6_cidr_block_network_border_group 28 | description = "The Network Border Group Zone name" 29 | } 30 | -------------------------------------------------------------------------------- /examples/basic/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.6.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.31.0" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /examples/complete/example.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-west-1" 3 | } 4 | 5 | locals { 6 | name = "vpc" 7 | environment = "example" 8 | } 9 | ##----------------------------------------------------------------------------- 10 | ## VPC Module Call. 11 | ##----------------------------------------------------------------------------- 12 | module "vpc" { 13 | source = "../.." 14 | 15 | name = local.name 16 | environment = local.environment 17 | cidr_block = "10.0.0.0/16" 18 | enable_flow_log = true 19 | enable = true 20 | flow_log_destination_type = "s3" 21 | flow_logs_bucket_name = "gc-vpc-flow-logs-bucket" 22 | additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] 23 | dhcp_options_domain_name = "service.consul" 24 | dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] 25 | } 26 | -------------------------------------------------------------------------------- /examples/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | value = module.vpc[*].vpc_id 3 | description = "The ID of the VPC." 4 | } 5 | 6 | output "tags" { 7 | value = module.vpc[*].tags 8 | description = "A mapping of tags to assign to the resource." 9 | } 10 | 11 | output "vpc_cidr" { 12 | value = module.vpc[*].vpc_cidr_block 13 | description = "The primary IPv4 CIDR block" 14 | } 15 | 16 | output "vpc_ipv6_cidr_block" { 17 | value = module.vpc[*].ipv6_cidr_block 18 | description = "The primary IPv6 CIDR block" 19 | } 20 | 21 | output "vpc_ipv6_association_id" { 22 | value = module.vpc[*].vpc_ipv6_association_id 23 | description = "The association ID for the primary IPv6 CIDR block" 24 | } 25 | 26 | output "ipv6_cidr_block_network_border_group" { 27 | value = module.vpc[*].ipv6_cidr_block_network_border_group 28 | description = "The Network Border Group Zone name" 29 | } 30 | -------------------------------------------------------------------------------- /examples/complete/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.6.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.31.0" 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | # Managed By : CloudDrove 2 | # Copyright @ CloudDrove. All Right Reserved. 3 | 4 | 5 | ##----------------------------------------------------------------------------- 6 | ## Labels module callled that will be used for naming and tags. 7 | ##----------------------------------------------------------------------------- 8 | module "labels" { 9 | source = "clouddrove/labels/aws" 10 | version = "1.3.0" 11 | name = var.name 12 | environment = var.environment 13 | managedby = var.managedby 14 | label_order = var.label_order 15 | repository = var.repository 16 | } 17 | ##----------------------------------------------------------------------------- 18 | ## Below resources will deploy VPC and its components. 19 | ##----------------------------------------------------------------------------- 20 | #tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs ## Because flow log resource for vpc is defined below. 21 | resource "aws_vpc" "default" { 22 | count = var.enable ? 1 : 0 23 | cidr_block = var.ipam_pool_enable ? null : var.cidr_block 24 | ipv4_ipam_pool_id = var.ipv4_ipam_pool_id 25 | ipv4_netmask_length = var.ipv4_netmask_length 26 | ipv6_cidr_block = var.ipv6_cidr_block 27 | ipv6_ipam_pool_id = var.ipv6_ipam_pool_id 28 | ipv6_netmask_length = var.ipv6_netmask_length 29 | instance_tenancy = var.instance_tenancy 30 | enable_dns_hostnames = var.dns_hostnames_enabled 31 | enable_dns_support = var.dns_support_enabled 32 | assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block 33 | ipv6_cidr_block_network_border_group = var.ipv6_cidr_block_network_border_group 34 | enable_network_address_usage_metrics = var.enable_network_address_usage_metrics 35 | tags = module.labels.tags 36 | lifecycle { 37 | # Ignore tags added by kubernetes 38 | ignore_changes = [ 39 | tags, 40 | tags["kubernetes.io"], 41 | tags["SubnetType"], 42 | ] 43 | } 44 | } 45 | 46 | resource "aws_vpc_ipv4_cidr_block_association" "default" { 47 | for_each = { for k in var.additional_cidr_block : k => k if var.enable } 48 | vpc_id = join("", aws_vpc.default[*].id) 49 | cidr_block = each.key 50 | } 51 | 52 | resource "aws_internet_gateway" "default" { 53 | count = var.enable ? 1 : 0 54 | vpc_id = join("", aws_vpc.default[*].id) 55 | tags = merge( 56 | module.labels.tags, 57 | { 58 | "Name" = format("%s-igw", module.labels.id) 59 | } 60 | ) 61 | } 62 | 63 | resource "aws_egress_only_internet_gateway" "default" { 64 | count = var.enable && var.enabled_ipv6_egress_only_internet_gateway ? 1 : 0 65 | vpc_id = join("", aws_vpc.default[*].id) 66 | tags = module.labels.tags 67 | } 68 | ##----------------------------------------------------------------------------- 69 | ## Below resource is used to create default security group for vpc communication. 70 | ##----------------------------------------------------------------------------- 71 | resource "aws_default_security_group" "default" { 72 | count = var.enable && var.restrict_default_sg == true ? 1 : 0 73 | vpc_id = join("", aws_vpc.default[*].id) 74 | dynamic "ingress" { 75 | for_each = var.default_security_group_ingress 76 | content { 77 | self = lookup(ingress.value, "self", true) 78 | cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", ""))) 79 | ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", ""))) 80 | prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", ""))) 81 | security_groups = compact(split(",", lookup(ingress.value, "security_groups", ""))) 82 | description = lookup(ingress.value, "description", null) 83 | from_port = lookup(ingress.value, "from_port", 0) 84 | to_port = lookup(ingress.value, "to_port", 0) 85 | protocol = lookup(ingress.value, "protocol", "-1") 86 | } 87 | } 88 | dynamic "egress" { 89 | for_each = var.default_security_group_egress 90 | content { 91 | self = lookup(egress.value, "self", true) 92 | cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", ""))) 93 | ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", ""))) 94 | prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", ""))) 95 | security_groups = compact(split(",", lookup(egress.value, "security_groups", ""))) 96 | description = lookup(egress.value, "description", null) 97 | from_port = lookup(egress.value, "from_port", 0) 98 | to_port = lookup(egress.value, "to_port", 0) 99 | protocol = lookup(egress.value, "protocol", "-1") 100 | } 101 | } 102 | tags = merge( 103 | module.labels.tags, 104 | { 105 | "Name" = format("%s-default-sg", module.labels.id) 106 | } 107 | ) 108 | } 109 | ##----------------------------------------------------------------------------- 110 | ## Below resource will create default route table for vpc communication. 111 | ##----------------------------------------------------------------------------- 112 | resource "aws_default_route_table" "default" { 113 | count = var.enable && var.aws_default_route_table ? 1 : 0 114 | default_route_table_id = aws_vpc.default[0].default_route_table_id 115 | dynamic "route" { 116 | for_each = var.default_route_table_routes 117 | content { 118 | # One of the following destinations must be provided 119 | cidr_block = route.value.cidr_block 120 | ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null) 121 | destination_prefix_list_id = lookup(route.value, "destination_prefix_list_id", null) 122 | # One of the following targets must be provided 123 | egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null) 124 | gateway_id = lookup(route.value, "gateway_id", null) 125 | instance_id = lookup(route.value, "instance_id", null) 126 | nat_gateway_id = lookup(route.value, "nat_gateway_id", null) 127 | network_interface_id = lookup(route.value, "network_interface_id", null) 128 | transit_gateway_id = lookup(route.value, "transit_gateway_id", null) 129 | vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null) 130 | vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null) 131 | } 132 | } 133 | tags = merge( 134 | module.labels.tags, 135 | { 136 | "Name" = format("%s-default-rt", module.labels.id) 137 | } 138 | ) 139 | } 140 | ##----------------------------------------------------------------------------- 141 | ## Below resource is used to configure vpc dhcp options. 142 | ##----------------------------------------------------------------------------- 143 | resource "aws_vpc_dhcp_options" "vpc_dhcp" { 144 | count = var.enable && var.enable_dhcp_options ? 1 : 0 145 | domain_name = var.dhcp_options_domain_name 146 | domain_name_servers = var.dhcp_options_domain_name_servers 147 | ntp_servers = var.dhcp_options_ntp_servers 148 | netbios_name_servers = var.dhcp_options_netbios_name_servers 149 | netbios_node_type = var.dhcp_options_netbios_node_type 150 | tags = merge( 151 | module.labels.tags, 152 | { 153 | "Name" = format("%s-vpc-dhcp", module.labels.id) 154 | } 155 | ) 156 | } 157 | 158 | resource "aws_vpc_dhcp_options_association" "this" { 159 | count = var.enable && var.enable_dhcp_options ? 1 : 0 160 | vpc_id = join("", aws_vpc.default[*].id) 161 | dhcp_options_id = join("", aws_vpc_dhcp_options.vpc_dhcp[*].id) 162 | } 163 | 164 | ##----------------------------------------------------------------------------- 165 | ## Below resource will create kms key. This key will used for encryption of flow logs stored in S3 bucket or cloudwatch log group. 166 | ##----------------------------------------------------------------------------- 167 | data "aws_caller_identity" "current" {} 168 | data "aws_region" "current" {} 169 | 170 | resource "aws_kms_key" "kms" { 171 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null ? 1 : 0 172 | deletion_window_in_days = var.kms_key_deletion_window 173 | enable_key_rotation = var.enable_key_rotation 174 | } 175 | 176 | resource "aws_kms_alias" "kms-alias" { 177 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null ? 1 : 0 178 | name = format("alias/%s-flow-log-key", module.labels.id) 179 | target_key_id = aws_kms_key.kms[0].key_id 180 | } 181 | 182 | ##----------------------------------------------------------------------------- 183 | ## Below resource will attach policy to above created kms key. The above created key require policy to be attached so that cloudwatch log group can access it. 184 | ## It will be only created when vpc flow logs are stored in cloudwatch log group. 185 | ##----------------------------------------------------------------------------- 186 | resource "aws_kms_key_policy" "example" { 187 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" ? 1 : 0 188 | key_id = aws_kms_key.kms[0].id 189 | policy = jsonencode({ 190 | "Version" : "2012-10-17", 191 | "Id" : "key-default-1", 192 | "Statement" : [{ 193 | "Sid" : "Enable IAM User Permissions", 194 | "Effect" : "Allow", 195 | "Principal" : { 196 | "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" 197 | }, 198 | "Action" : "kms:*", 199 | "Resource" : "*" 200 | }, 201 | { 202 | "Effect" : "Allow", 203 | "Principal" : { "Service" : "logs.${data.aws_region.current.name}.amazonaws.com" }, 204 | "Action" : [ 205 | "kms:Encrypt*", 206 | "kms:Decrypt*", 207 | "kms:ReEncrypt*", 208 | "kms:GenerateDataKey*", 209 | "kms:Describe*" 210 | ], 211 | "Resource" : "*" 212 | } 213 | ] 214 | }) 215 | 216 | } 217 | ##----------------------------------------------------------------------------- 218 | ## Below resources will create S3 bucket and its components. This S3 bucket will be used to store vpc flow logs if "flow_log_destination_type" variable is set to "s3". 219 | ##----------------------------------------------------------------------------- 220 | resource "aws_s3_bucket" "mybucket" { 221 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" ? 1 : 0 222 | bucket = var.flow_logs_bucket_name 223 | } 224 | 225 | resource "aws_s3_bucket_ownership_controls" "example" { 226 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" ? 1 : 0 227 | bucket = join("", aws_s3_bucket.mybucket[*].id) 228 | rule { 229 | object_ownership = "BucketOwnerPreferred" 230 | } 231 | } 232 | 233 | resource "aws_s3_bucket_acl" "example" { 234 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" ? 1 : 0 235 | depends_on = [aws_s3_bucket_ownership_controls.example] 236 | bucket = join("", aws_s3_bucket.mybucket[*].id) 237 | acl = "private" 238 | } 239 | 240 | resource "aws_s3_bucket_public_access_block" "example" { 241 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" ? 1 : 0 242 | bucket = aws_s3_bucket.mybucket[0].id 243 | block_public_acls = true 244 | block_public_policy = true 245 | ignore_public_acls = true 246 | restrict_public_buckets = true 247 | } 248 | 249 | resource "aws_s3_bucket_server_side_encryption_configuration" "example" { 250 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" ? 1 : 0 251 | bucket = aws_s3_bucket.mybucket[0].id 252 | rule { 253 | apply_server_side_encryption_by_default { 254 | kms_master_key_id = aws_kms_key.kms[0].arn 255 | sse_algorithm = var.s3_sse_algorithm //"aws:kms" 256 | } 257 | } 258 | } 259 | 260 | resource "aws_s3_bucket_policy" "block-http" { 261 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "s3" && var.block_http_traffic ? 1 : 0 262 | bucket = aws_s3_bucket.mybucket[0].id 263 | 264 | policy = jsonencode({ 265 | Version = "2012-10-17" 266 | Id = "Blockhttp" 267 | Statement = [ 268 | { 269 | "Sid" : "AllowSSLRequestsOnly", 270 | "Effect" : "Deny", 271 | "Principal" : "*", 272 | "Action" : "s3:*", 273 | "Resource" : [ 274 | aws_s3_bucket.mybucket[0].arn, 275 | "${aws_s3_bucket.mybucket[0].arn}/*", 276 | ], 277 | "Condition" : { 278 | "Bool" : { 279 | "aws:SecureTransport" : "false" 280 | } 281 | } 282 | }, 283 | ] 284 | }) 285 | } 286 | 287 | ##----------------------------------------------------------------------------- 288 | ## Below resources will create cloudwatch log group and its components. This cloudwatch log group will be used to store vpc flow logs if "flow_log_destination_type" variable is set to "cloud-watch-logs". 289 | ##----------------------------------------------------------------------------- 290 | resource "aws_cloudwatch_log_group" "flow_log" { 291 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" ? 1 : 0 292 | name = format("%s-vpc-flow-log-cloudwatch_log_group", module.labels.id) 293 | retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days 294 | kms_key_id = aws_kms_key.kms[0].arn 295 | tags = module.labels.tags 296 | } 297 | 298 | resource "aws_iam_role" "vpc_flow_log_cloudwatch" { 299 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" && var.create_flow_log_cloudwatch_iam_role ? 1 : 0 300 | name = format("%s-vpc-flow-log-role", module.labels.id) 301 | assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json 302 | permissions_boundary = var.vpc_flow_log_permissions_boundary 303 | tags = module.labels.tags 304 | } 305 | 306 | data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" { 307 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" && var.create_flow_log_cloudwatch_iam_role ? 1 : 0 308 | statement { 309 | sid = "AWSVPCFlowLogsAssumeRole" 310 | principals { 311 | type = "Service" 312 | identifiers = ["vpc-flow-logs.amazonaws.com"] 313 | } 314 | effect = "Allow" 315 | actions = ["sts:AssumeRole"] 316 | } 317 | } 318 | 319 | resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" { 320 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" && var.create_flow_log_cloudwatch_iam_role ? 1 : 0 321 | role = aws_iam_role.vpc_flow_log_cloudwatch[0].name 322 | policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch[0].arn 323 | } 324 | 325 | resource "aws_iam_policy" "vpc_flow_log_cloudwatch" { 326 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" && var.create_flow_log_cloudwatch_iam_role ? 1 : 0 327 | name = format("%s-vpc-flow-log-to-cloudwatch", module.labels.id) 328 | policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json 329 | tags = module.labels.tags 330 | } 331 | 332 | data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" { 333 | count = var.enable && var.enable_flow_log && var.flow_log_destination_arn == null && var.flow_log_destination_type == "cloud-watch-logs" && var.create_flow_log_cloudwatch_iam_role ? 1 : 0 334 | statement { 335 | sid = "AWSVPCFlowLogsPushToCloudWatch" 336 | effect = "Allow" 337 | actions = [ 338 | "logs:CreateLogStream", 339 | "logs:PutLogEvents", 340 | "logs:DescribeLogGroups", 341 | "logs:DescribeLogStreams", 342 | ] 343 | resources = ["*"] 344 | } 345 | } 346 | ##--------------------------------------------------------------------------------------------- 347 | ## Below resource will deploy vpc flow logs for vpc created above. VPC flow log can be stored in either S3 bucket or Cloudwatch log group, as per your requirement. 348 | ##--------------------------------------------------------------------------------------------- 349 | resource "aws_flow_log" "vpc_flow_log" { 350 | count = var.enable && var.enable_flow_log == true ? 1 : 0 351 | log_destination_type = var.flow_log_destination_type 352 | log_destination = var.flow_log_destination_arn == null ? (var.flow_log_destination_type == "s3" ? aws_s3_bucket.mybucket[0].arn : aws_cloudwatch_log_group.flow_log[0].arn) : var.flow_log_destination_arn 353 | log_format = var.flow_log_log_format 354 | iam_role_arn = var.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_iam_role_arn 355 | traffic_type = var.flow_log_traffic_type 356 | vpc_id = join("", aws_vpc.default[*].id) 357 | max_aggregation_interval = var.flow_log_max_aggregation_interval 358 | dynamic "destination_options" { 359 | for_each = var.flow_log_destination_type == "s3" ? [true] : [] 360 | 361 | content { 362 | file_format = var.flow_log_file_format 363 | hive_compatible_partitions = var.flow_log_hive_compatible_partitions 364 | per_hour_partition = var.flow_log_per_hour_partition 365 | } 366 | } 367 | tags = module.labels.tags 368 | } 369 | ##---------------------------------------------------------------------------------------------------- 370 | ## Below resource will deploy default network acl for vpc communication. 371 | ##------------------------------------------------------------------------------------------------------- 372 | resource "aws_default_network_acl" "default" { 373 | count = var.enable && var.aws_default_network_acl ? 1 : 0 374 | default_network_acl_id = aws_vpc.default[0].default_network_acl_id 375 | dynamic "ingress" { 376 | for_each = var.default_network_acl_ingress 377 | content { 378 | action = ingress.value.action 379 | cidr_block = lookup(ingress.value, "cidr_block", null) 380 | from_port = ingress.value.from_port 381 | icmp_code = lookup(ingress.value, "icmp_code", null) 382 | icmp_type = lookup(ingress.value, "icmp_type", null) 383 | ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null) 384 | protocol = ingress.value.protocol 385 | rule_no = ingress.value.rule_no 386 | to_port = ingress.value.to_port 387 | } 388 | } 389 | dynamic "egress" { 390 | for_each = var.default_network_acl_egress 391 | content { 392 | action = egress.value.action 393 | cidr_block = lookup(egress.value, "cidr_block", null) 394 | from_port = egress.value.from_port 395 | icmp_code = lookup(egress.value, "icmp_code", null) 396 | icmp_type = lookup(egress.value, "icmp_type", null) 397 | ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null) 398 | protocol = egress.value.protocol 399 | rule_no = egress.value.rule_no 400 | to_port = egress.value.to_port 401 | } 402 | } 403 | tags = merge( 404 | module.labels.tags, 405 | { 406 | "Name" = format("%s-nacl", module.labels.id) 407 | } 408 | ) 409 | } 410 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | #Module : VPC 2 | #Description : Terraform module to VPC outputs. 3 | output "vpc_id" { 4 | value = join("", aws_vpc.default[*].id) 5 | description = "The ID of the VPC." 6 | } 7 | 8 | output "vpc_arn" { 9 | value = join("", aws_vpc.default[*].arn) 10 | description = "The ARN of the VPC" 11 | } 12 | 13 | output "vpc_cidr_block" { 14 | value = join("", aws_vpc.default[*].cidr_block) 15 | description = "The CIDR block of the VPC." 16 | } 17 | 18 | output "ipv6_cidr_block" { 19 | value = join("", aws_vpc.default[*].ipv6_cidr_block) 20 | description = "The IPv6 CIDR block." 21 | } 22 | 23 | output "vpc_ipv6_association_id" { 24 | value = join("", aws_vpc.default[*].ipv6_association_id) 25 | description = "The association ID for the IPv6 CIDR block." 26 | } 27 | 28 | output "ipv6_cidr_block_network_border_group" { 29 | value = join("", aws_vpc.default[*].ipv6_cidr_block_network_border_group) 30 | description = "The IPv6 Network Border Group Zone name" 31 | } 32 | 33 | output "vpc_main_route_table_id" { 34 | value = join("", aws_vpc.default[*].main_route_table_id) 35 | description = "The ID of the main route table associated with this VPC." 36 | } 37 | 38 | output "vpc_default_network_acl_id" { 39 | value = join("", aws_vpc.default[*].default_network_acl_id) 40 | description = "The ID of the network ACL created by default on VPC creation." 41 | } 42 | 43 | output "vpc_default_security_group_id" { 44 | value = join("", aws_vpc.default[*].default_security_group_id) 45 | description = "The ID of the security group created by default on VPC creation." 46 | } 47 | 48 | output "vpc_default_route_table_id" { 49 | value = join("", aws_vpc.default[*].default_route_table_id) 50 | description = "The ID of the route table created by default on VPC creation." 51 | } 52 | 53 | output "tags" { 54 | value = module.labels.tags 55 | description = "A mapping of tags to assign to the resource." 56 | } 57 | 58 | ####------------------------------------------------------------------------------------- 59 | #Module : INTERNET GATEWAY 60 | #Description : Terraform internet gateway module output variables. 61 | ####-------------------------------------------------------------------------------------- 62 | output "igw_id" { 63 | value = join("", aws_internet_gateway.default[*].id) 64 | description = "The ID of the Internet Gateway." 65 | } 66 | 67 | output "ipv6_egress_only_igw_id" { 68 | value = join("", aws_egress_only_internet_gateway.default[*].id) 69 | description = "The ID of the egress-only Internet Gateway" 70 | } 71 | 72 | output "arn" { 73 | value = join("", aws_flow_log.vpc_flow_log[*].arn) 74 | description = "Amazon Resource Name (ARN) of VPC" 75 | } 76 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | #Module : LABEL 2 | #Description : Terraform label module variables. 3 | variable "name" { 4 | type = string 5 | default = "" 6 | description = "Name (e.g. `app` or `cluster`)." 7 | } 8 | 9 | variable "environment" { 10 | type = string 11 | default = "" 12 | description = "Environment (e.g. `prod`, `dev`, `staging`)." 13 | } 14 | 15 | variable "repository" { 16 | type = string 17 | default = "https://github.com/clouddrove/terraform-aws-vpc" 18 | description = "Terraform current module repo" 19 | } 20 | 21 | variable "label_order" { 22 | type = list(any) 23 | default = ["name", "environment"] 24 | description = "Label order, e.g. `name`,`application`." 25 | } 26 | 27 | variable "managedby" { 28 | type = string 29 | default = "hello@clouddrove.com" 30 | description = "ManagedBy, eg 'CloudDrove'" 31 | } 32 | 33 | #Module : VPC 34 | #Description : Terraform VPC module variables. 35 | variable "enable" { 36 | type = bool 37 | default = true 38 | description = "Flag to control the vpc creation." 39 | } 40 | 41 | variable "restrict_default_sg" { 42 | type = bool 43 | default = true 44 | description = "Flag to control the restrict default sg creation." 45 | } 46 | 47 | variable "cidr_block" { 48 | type = string 49 | default = "" 50 | description = "CIDR for the VPC." 51 | } 52 | 53 | variable "additional_cidr_block" { 54 | type = list(string) 55 | default = [] 56 | description = " List of secondary CIDR blocks of the VPC." 57 | } 58 | 59 | variable "ipv6_cidr_block" { 60 | type = string 61 | default = null 62 | description = "IPv6 CIDR for the VPC." 63 | } 64 | 65 | variable "instance_tenancy" { 66 | type = string 67 | default = "default" 68 | description = "A tenancy option for instances launched into the VPC." 69 | } 70 | 71 | variable "dns_hostnames_enabled" { 72 | type = bool 73 | default = true 74 | description = "A boolean flag to enable/disable DNS hostnames in the VPC." 75 | } 76 | 77 | variable "dns_support_enabled" { 78 | type = bool 79 | default = true 80 | description = "A boolean flag to enable/disable DNS support in the VPC." 81 | } 82 | 83 | #Module : FLOW LOG 84 | #Description : Terraform flow log module variables. 85 | variable "enable_flow_log" { 86 | type = bool 87 | default = false 88 | description = "Enable vpc_flow_log logs." 89 | } 90 | 91 | variable "ipv4_ipam_pool_id" { 92 | type = string 93 | default = "" 94 | description = "The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR." 95 | } 96 | 97 | variable "ipv4_netmask_length" { 98 | type = string 99 | default = null 100 | description = "The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id" 101 | } 102 | 103 | variable "ipv6_ipam_pool_id" { 104 | type = string 105 | default = null 106 | description = "The ID of an IPv6 IPAM pool you want to use for allocating this VPC's CIDR." 107 | } 108 | 109 | variable "ipv6_netmask_length" { 110 | type = string 111 | default = null 112 | description = "The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv6_ipam_pool_id" 113 | } 114 | 115 | variable "default_security_group_ingress" { 116 | type = list(map(string)) 117 | default = [] 118 | description = "List of maps of ingress rules to set on the default security group" 119 | } 120 | 121 | variable "default_security_group_egress" { 122 | type = list(map(string)) 123 | default = [] 124 | description = "List of maps of egress rules to set on the default security group" 125 | } 126 | 127 | variable "enable_dhcp_options" { 128 | type = bool 129 | default = false 130 | description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" 131 | } 132 | 133 | variable "dhcp_options_domain_name" { 134 | type = string 135 | default = "service.consul" 136 | description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" 137 | } 138 | 139 | variable "dhcp_options_domain_name_servers" { 140 | type = list(string) 141 | default = ["AmazonProvidedDNS"] 142 | description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" 143 | } 144 | 145 | variable "dhcp_options_ntp_servers" { 146 | type = list(string) 147 | default = [] 148 | description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" 149 | } 150 | 151 | variable "dhcp_options_netbios_name_servers" { 152 | type = list(string) 153 | default = [] 154 | description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" 155 | } 156 | 157 | variable "dhcp_options_netbios_node_type" { 158 | type = string 159 | default = "" 160 | description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" 161 | } 162 | 163 | variable "enabled_ipv6_egress_only_internet_gateway" { 164 | type = bool 165 | default = true 166 | description = "A boolean flag to enable/disable IPv6 Egress-Only Internet Gateway creation" 167 | } 168 | 169 | variable "ipv6_cidr_block_network_border_group" { 170 | type = string 171 | default = null 172 | description = "Set this to restrict advertisement of public addresses to a specific Network Border Group such as a LocalZone." 173 | } 174 | 175 | variable "aws_default_route_table" { 176 | type = bool 177 | default = true 178 | description = "A boolean flag to enable/disable Default Route Table in the VPC." 179 | } 180 | 181 | variable "enable_network_address_usage_metrics" { 182 | type = bool 183 | default = null 184 | description = "Determines whether network address usage metrics are enabled for the VPC" 185 | } 186 | 187 | variable "assign_generated_ipv6_cidr_block" { 188 | type = bool 189 | default = true 190 | description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Conflicts with ipv6_ipam_pool_id" 191 | } 192 | 193 | variable "aws_default_network_acl" { 194 | type = bool 195 | default = true 196 | description = "A boolean flag to enable/disable Default Network acl in the VPC." 197 | } 198 | 199 | variable "flow_logs_bucket_name" { 200 | type = string 201 | default = null 202 | description = "Name (e.g. `mybucket` or `bucket101`)." 203 | } 204 | 205 | variable "ipam_pool_enable" { 206 | type = bool 207 | default = false 208 | description = "Flag to be set true when using ipam for cidr." 209 | } 210 | 211 | variable "default_route_table_routes" { 212 | type = list(map(string)) 213 | default = [] 214 | description = "Configuration block of routes." 215 | } 216 | 217 | variable "default_network_acl_ingress" { 218 | description = "List of maps of ingress rules to set on the Default Network ACL" 219 | type = list(map(string)) 220 | default = [ 221 | { 222 | rule_no = 100 223 | action = "allow" 224 | from_port = 0 225 | to_port = 0 226 | protocol = "-1" 227 | cidr_block = "0.0.0.0/0" 228 | }, 229 | { 230 | rule_no = 101 231 | action = "allow" 232 | from_port = 0 233 | to_port = 0 234 | protocol = "-1" 235 | ipv6_cidr_block = "::/0" 236 | }, 237 | ] 238 | } 239 | 240 | variable "default_network_acl_egress" { 241 | description = "List of maps of egress rules to set on the Default Network ACL" 242 | type = list(map(string)) 243 | default = [ 244 | { 245 | rule_no = 100 246 | action = "allow" 247 | from_port = 0 248 | to_port = 0 249 | protocol = "-1" 250 | cidr_block = "0.0.0.0/0" 251 | }, 252 | { 253 | rule_no = 101 254 | action = "allow" 255 | from_port = 0 256 | to_port = 0 257 | protocol = "-1" 258 | ipv6_cidr_block = "::/0" 259 | }, 260 | ] 261 | } 262 | 263 | variable "flow_log_destination_type" { 264 | type = string 265 | default = "cloud-watch-logs" 266 | description = "Type of flow log destination. Can be s3 or cloud-watch-logs" 267 | } 268 | 269 | variable "flow_log_log_format" { 270 | type = string 271 | default = null 272 | description = "The fields to include in the flow log record, in the order in which they should appear" 273 | } 274 | 275 | variable "flow_log_file_format" { 276 | type = string 277 | default = null 278 | description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" 279 | } 280 | 281 | variable "flow_log_hive_compatible_partitions" { 282 | type = bool 283 | default = false 284 | description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3" 285 | } 286 | 287 | variable "flow_log_per_hour_partition" { 288 | type = bool 289 | default = false 290 | description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries" 291 | } 292 | 293 | variable "flow_log_max_aggregation_interval" { 294 | type = number 295 | default = 600 296 | description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" 297 | } 298 | 299 | variable "flow_log_traffic_type" { 300 | type = string 301 | default = "ALL" 302 | description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" 303 | } 304 | 305 | variable "create_flow_log_cloudwatch_iam_role" { 306 | type = bool 307 | default = false 308 | description = "Flag to be set true when cloudwatch iam role is to be created when flow log destination type is set to cloudwatch logs." 309 | } 310 | 311 | variable "flow_log_cloudwatch_log_group_retention_in_days" { 312 | type = number 313 | default = null 314 | description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs" 315 | } 316 | 317 | variable "vpc_flow_log_permissions_boundary" { 318 | type = string 319 | default = null 320 | description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" 321 | } 322 | 323 | variable "flow_log_iam_role_arn" { 324 | type = string 325 | default = null 326 | description = "The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided" 327 | } 328 | 329 | variable "kms_key_deletion_window" { 330 | type = number 331 | default = 10 332 | description = "KMS Key deletion window in days." 333 | } 334 | 335 | variable "flow_log_destination_arn" { 336 | type = string 337 | default = null 338 | description = "ARN of destination where vpc flow logs are to stored. Can be of existing s3 or existing cloudwatch log group." 339 | } 340 | 341 | variable "s3_sse_algorithm" { 342 | type = string 343 | default = "aws:kms" 344 | description = "Server-side encryption algorithm to use. Valid values are AES256 and aws:kms" 345 | } 346 | 347 | variable "enable_key_rotation" { 348 | type = bool 349 | default = true 350 | description = "Specifies whether key rotation is enabled. Defaults to true(security best practice)" 351 | } 352 | 353 | variable "block_http_traffic" { 354 | type = bool 355 | default = true 356 | description = "True when http traffic has to be blocked for S3." 357 | } -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.6.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.31.0" 9 | } 10 | } 11 | } 12 | --------------------------------------------------------------------------------