terraform-aws-mcaf-vpc-with-ipam

Terraform module to:

• create and manage a VPC (using a CIDR provided by an existing IPAM pool)
• (optionally) attach the VPC to an existing transit gateway
• (optionally) create VPC endpoint resources using the VPC endpoints submodule

This module will be merged with the terraform-aws-mcaf-vpc module in the future.

Note

If your VPC and Transit Gateway are in the same AWS account and region, no EC2 Transit Gateway VPC Attachment Accepter can be created as this is automatically accepted. In this scenario set the transit_gateway_enable_accepter variable (default: true) to false. For more details, see AWS Documentation.

Usage

Requirements

Name	Version
terraform	>= 1.6
aws	>= 5.82

Providers

Name	Version
aws	>= 5.82
aws.transit_gateway_account	>= 5.82

Modules

Name	Source	Version
log_bucket	schubergphilis/mcaf-s3/aws	~> 1.2.0

Resources

Name	Type
aws_cloudwatch_log_group.vpc_flow_logs	resource
aws_default_security_group.default_vpc	resource
aws_default_security_group.workload_vpc	resource
aws_default_vpc.default	resource
aws_ec2_transit_gateway_route_table_association.default	resource
aws_ec2_transit_gateway_route_table_propagation.default	resource
aws_ec2_transit_gateway_vpc_attachment.default	resource
aws_ec2_transit_gateway_vpc_attachment_accepter.default	resource
aws_eip.nat_gw	resource
aws_flow_log.default	resource
aws_flow_log.flow_logs_s3	resource
aws_iam_policy.vpc_flow_logs	resource
aws_iam_role.vpc_flow_logs	resource
aws_iam_role_policy_attachment.vpc_flow_logs	resource
aws_internet_gateway.default	resource
aws_nat_gateway.public	resource
aws_route.internet_gateway	resource
aws_route53profiles_association.default	resource
aws_route_table.default	resource
aws_route_table_association.default	resource
aws_subnet.default	resource
aws_vpc.default	resource
aws_vpc_ipam_preview_next_cidr.vpc	resource
aws_caller_identity.default	data source
aws_iam_policy_document.vpc_flow_log	data source
aws_iam_policy_document.vpc_flow_logs_assume_role	data source
aws_region.default	data source
aws_route53profiles_profiles.default	data source

Inputs

Name	Description	Type	Default	Required
availability_zones	A list of availability zones names or ids in the region.	list(string)	n/a	yes
aws_vpc_ipam_pool	ID of the IPAM pool to get CIDRs from.	string	n/a	yes
name	Name to be used on all the resources as identifier.	string	n/a	yes
networks	A list of objects describing requested subnetwork prefixes.	list(object({ name = string cidr_netmask = number public = optional(bool, false) nat_gw = optional(bool, false) tgw_attachment = optional(bool, false) tags = optional(map(string), {}) }))	n/a	yes
cloudwatch_flow_logs_configuration	Cloudwatch flow logs configuration	object({ iam_path = optional(string, "/") iam_policy_name_prefix = optional(string, "vpc-flow-logs-to-cloudwatch-") iam_role_name_prefix = optional(string, "vpc-flow-logs-role-") iam_role_permissions_boundary = optional(string) kms_key_arn = string log_format = optional(string) log_group_name = optional(string) max_aggregation_interval = optional(number, 60) retention_in_days = optional(number, 90) traffic_type = optional(string, "ALL") })	null	no
enable_dns_hostnames	Enable DNS hostnames in the VPC.	bool	true	no
manage_default_vpc	Should be true to adopt and manage the default VPC.	bool	true	no
route53_profiles_association	Variable to enable Route53 Profiles association. Lookup 'profile_names' of Route53 Profiles in the account to associate with the VPC, and assign arbitrary association names.	object({ profiles = optional(map(object( { association_name = string } )), {}) })	{}	no
s3_flow_logs_configuration	Variables to enable S3 flow logs for the VPC. Use 'bucket_name' to log to an S3 bucket created by this module. Alternatively, use 'log_destination' to specify a self-managed S3 bucket. The 'log_destination' variable accepts full S3 ARNs, optionally including object keys.	object({ bucket_name = optional(string) kms_key_arn = string log_destination = optional(string) log_format = optional(string) max_aggregation_interval = optional(number, 60) retention_in_days = optional(number, 90) traffic_type = optional(string, "ALL") destination_options = optional(object({ file_format = optional(string) hive_compatible_partitions = optional(bool, false) per_hour_partition = optional(bool, true) }), {}) })	null	no
tags	A map of tags to add to all resources.	map(string)	{}	no
transit_gateway_appliance_mode_support	Enable to attach the VPC in appliance mode on the Transit Gateway.	bool	false	no
transit_gateway_enable_accepter	Set to false to disable the EC2 Transit Gateway VPC Attachment Accepter; this must be false if the VPC and Transit Gateway are in the same AWS account and region.	bool	true	no
transit_gateway_id	Transit Gateway ID.	string	""	no
transit_gateway_route_table_association	Transit Gateway route table ID to attach the VPC on.	string	""	no
transit_gateway_route_table_propagation	Map of [logical name]→[Transit Gateway route table ID] to propagate the VPC CIDR to.	map(string)	{}	no
vpc_cidr_netmask	The netmask length of the IPv4 CIDR you want to allocate to this VPC.	number	20	no

Outputs

Name	Description
nat_gateway_ids	List of NAT Gateway IDs
route_table_ids	Map of all networks in the VPC and their subnets
subnet_ids	Map of all networks in the VPC and their subnets
subnets	Map of all subnets in the VPCs
transit_gateway_attachment_id	Transit Gateway attachment ID
vpc_arn	The ARN of the VPC
vpc_cidr_block	The CIDR block of the VPC
vpc_id	The ID of the VPC

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.