diff --git a/.gitignore b/.gitignore
old mode 100644
new mode 100755
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
old mode 100644
new mode 100755
diff --git a/.tflint.hcl b/.tflint.hcl
old mode 100644
new mode 100755
diff --git a/IAM.md b/IAM.md
old mode 100644
new mode 100755
diff --git a/LICENSE b/LICENSE
old mode 100644
new mode 100755
diff --git a/README.md b/README.md
old mode 100644
new mode 100755
index f0895b4..1e263ca
--- a/README.md
+++ b/README.md
@@ -1,8 +1,10 @@
# AWS Network Terraform module
-![squareops_avatar]
-
-[squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png
+
+
+
+ 
+
### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey.
@@ -29,23 +31,30 @@ module "vpc" {
ipv6_enabled = true
create_ipam_pool = false
ipam_enabled = false
- flow_log_enabled = true
- vpn_key_pair_name = module.key_pair_vpn.key_pair_name
- availability_zones = ["us-east-1a", "us-east-1b"]
+ vpc_flow_log_enabled = true
+ vpn_server_key_pair_name = module.key_pair_vpn.key_pair_name
+ vpc_availability_zones = ["us-east-1a", "us-east-1b"]
vpn_server_enabled = false
- intra_subnet_enabled = true
+ vpc_intra_subnet_enabled = true
auto_assign_public_ip = true
- public_subnet_enabled = true
- private_subnet_enabled = true
- one_nat_gateway_per_az = true
- database_subnet_enabled = true
+ vpc_public_subnet_enabled = true
+ vpc_private_subnet_enable = true
+ vpc_one_nat_gateway_per_az = true
+ vpc_database_subnet_enabled = true
vpn_server_instance_type = "t3a.small"
+ vpc_public_subnets_counts = 2
+ vpc_private_subnets_counts = 2
+ vpc_database_subnets_counts = 2
+ vpc_intra_subnets_counts = 2
+ vpc_endpoint_type_private_s3 = "Gateway"
+ vpc_endpoint_type_ecr_dkr = "Interface"
+ vpc_endpoint_type_ecr_api = "Interface"
vpc_s3_endpoint_enabled = true
vpc_ecr_endpoint_enabled = true
- flow_log_max_aggregation_interval = 60
- flow_log_cloudwatch_log_group_skip_destroy = true
- flow_log_cloudwatch_log_group_retention_in_days = 90
- flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
+ vpc_flow_log_max_aggregation_interval = 60
+ vpc_flow_log_cloudwatch_log_group_skip_destroy = true
+ vpc_flow_log_cloudwatch_log_group_retention_in_days = 90
+ vpc_flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
}
```
Refer [this](https://github.com/squareops/terraform-aws-vpc/tree/main/examples) for more examples.
@@ -191,13 +200,13 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 4.23 |
+| [aws](#requirement\_aws) | >= 5.0.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.23 |
+| [aws](#provider\_aws) | >= 5.0.0 |
## Modules
@@ -211,9 +220,9 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| Name | Type |
|------|------|
| [aws_security_group.vpc_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [aws_vpc_endpoint.private-ecr-api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
-| [aws_vpc_endpoint.private-ecr-dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
-| [aws_vpc_endpoint.private-s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint.private_ecr_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint.private_ecr_dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint.private_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
| [aws_vpc_ipam.ipam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam) | resource |
| [aws_vpc_ipam_pool.ipam_pool](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool) | resource |
| [aws_vpc_ipam_pool_cidr.ipam_pool_cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_pool_cidr) | resource |
@@ -225,61 +234,77 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [additional\_aws\_tags](#input\_additional\_aws\_tags) | Additional tags to be applied to AWS resources | `map(string)` | `{}` | no |
| [auto\_assign\_public\_ip](#input\_auto\_assign\_public\_ip) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | `bool` | `false` | no |
-| [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `list(any)` | `[]` | no |
-| [create\_ipam\_pool](#input\_create\_ipam\_pool) | Whether create new IPAM pool | `bool` | `true` | no |
+| [aws\_account\_id](#input\_aws\_account\_id) | Account ID of the AWS Account. | `string` | `"1234567890"` | no |
+| [aws\_region](#input\_aws\_region) | Name of the AWS region where VPC is to be created. | `string` | `""` | no |
+| [database\_nat\_gateway\_route\_enabled](#input\_database\_nat\_gateway\_route\_enabled) | Nat Gateway route to be created for internet access to database subnets | `bool` | `false` | no |
| [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
-| [database\_subnet\_cidrs](#input\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no |
-| [database\_subnet\_enabled](#input\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no |
+| [database\_subnet\_group\_enabled](#input\_database\_subnet\_group\_enabled) | Whether create database subnet groups | `bool` | `false` | no |
| [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | [
{
"action": "deny",
"cidr_block": "0.0.0.0/0",
"from_port": 22,
"protocol": "tcp",
"rule_no": 98,
"to_port": 22
},
{
"action": "deny",
"cidr_block": "0.0.0.0/0",
"from_port": 3389,
"protocol": "tcp",
"rule_no": 99,
"to_port": 3389
},
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no |
-| [enable\_database\_subnet\_group](#input\_enable\_database\_subnet\_group) | Whether create database subnet groups | `bool` | `false` | no |
+| [dns\_hostnames\_enabled](#input\_dns\_hostnames\_enabled) | Whether to enable DNS hostnames | `bool` | `true` | no |
| [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no |
| [existing\_ipam\_managed\_cidr](#input\_existing\_ipam\_managed\_cidr) | The existing IPAM pool CIDR | `string` | `""` | no |
-| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
-| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
-| [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no |
-| [flow\_log\_enabled](#input\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
-| [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no |
| [intra\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_intra\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
-| [intra\_subnet\_cidrs](#input\_intra\_subnet\_cidrs) | A list of intra subnets CIDR to be created | `list(any)` | `[]` | no |
-| [intra\_subnet\_enabled](#input\_intra\_subnet\_enabled) | Set true to enable intra subnets | `bool` | `false` | no |
+| [ipam\_address\_family](#input\_ipam\_address\_family) | The address family for the VPC (ipv4 or ipv6) | `string` | `"ipv4"` | no |
| [ipam\_enabled](#input\_ipam\_enabled) | Whether enable IPAM managed VPC or not | `bool` | `false` | no |
+| [ipam\_pool\_enabled](#input\_ipam\_pool\_enabled) | Whether create new IPAM pool | `bool` | `true` | no |
| [ipam\_pool\_id](#input\_ipam\_pool\_id) | The existing IPAM pool id if any | `string` | `null` | no |
| [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | The netmask length for IPAM managed VPC | `number` | `16` | no |
| [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
| [ipv6\_only](#input\_ipv6\_only) | Enable it for deploying native IPv6 network | `bool` | `false` | no |
+| [manage\_vpc\_default\_security\_group](#input\_manage\_vpc\_default\_security\_group) | Should be true to manage Default Security group of vpc | `bool` | `true` | no |
| [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
-| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no |
| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
-| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | A list of private subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no |
-| [private\_subnet\_enabled](#input\_private\_subnet\_enabled) | Set true to enable private subnets | `bool` | `false` | no |
| [public\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_public\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
-| [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | A list of public subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no |
-| [public\_subnet\_enabled](#input\_public\_subnet\_enabled) | Set true to enable public subnets | `bool` | `false` | no |
-| [region](#input\_region) | The AWS region name | `string` | `null` | no |
| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of the secondary CIDR blocks which can be at most 5 | `list(string)` | `[]` | no |
| [secondry\_cidr\_enabled](#input\_secondry\_cidr\_enabled) | Whether enable secondary CIDR with VPC | `bool` | `false` | no |
+| [vpc\_availability\_zones](#input\_vpc\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets. | `list(any)` | `[]` | no |
| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the VPC | `string` | `"10.0.0.0/16"` | no |
+| [vpc\_database\_subnet\_cidrs](#input\_vpc\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no |
+| [vpc\_database\_subnet\_enabled](#input\_vpc\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no |
+| [vpc\_database\_subnets\_counts](#input\_vpc\_database\_subnets\_counts) | List of counts for database subnets | `number` | `1` | no |
+| [vpc\_default\_security\_group\_egress](#input\_vpc\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | `[]` | no |
+| [vpc\_default\_security\_group\_ingress](#input\_vpc\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | `[]` | no |
| [vpc\_ecr\_endpoint\_enabled](#input\_vpc\_ecr\_endpoint\_enabled) | Set to true if you want to enable vpc ecr endpoints | `bool` | `false` | no |
+| [vpc\_endpoint\_type\_ecr\_api](#input\_vpc\_endpoint\_type\_ecr\_api) | The type of VPC endpoint for ECR api | `string` | `"Interface"` | no |
+| [vpc\_endpoint\_type\_ecr\_dkr](#input\_vpc\_endpoint\_type\_ecr\_dkr) | The type of VPC endpoint for ECR Docker | `string` | `"Interface"` | no |
+| [vpc\_endpoint\_type\_private\_s3](#input\_vpc\_endpoint\_type\_private\_s3) | The type of VPC endpoint for ECR Docker | `string` | `"Gateway"` | no |
+| [vpc\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_arn) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
+| [vpc\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | `number` | `null` | no |
+| [vpc\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_vpc\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no |
+| [vpc\_flow\_log\_destination\_type](#input\_vpc\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
+| [vpc\_flow\_log\_enabled](#input\_vpc\_flow\_log\_enabled) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
+| [vpc\_flow\_log\_max\_aggregation\_interval](#input\_vpc\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `60` | no |
+| [vpc\_flow\_log\_traffic\_type](#input\_vpc\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no |
+| [vpc\_intra\_subnet\_cidrs](#input\_vpc\_intra\_subnet\_cidrs) | A list of intra subnets CIDR to be created | `list(any)` | `[]` | no |
+| [vpc\_intra\_subnet\_enabled](#input\_vpc\_intra\_subnet\_enabled) | Set true to enable intra subnets | `bool` | `false` | no |
+| [vpc\_intra\_subnets\_counts](#input\_vpc\_intra\_subnets\_counts) | List of counts for intra subnets | `number` | `1` | no |
+| [vpc\_manage\_default\_network\_acl](#input\_vpc\_manage\_default\_network\_acl) | Should be true to manage Default Network ACL | `bool` | `true` | no |
+| [vpc\_one\_nat\_gateway\_per\_az](#input\_vpc\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no |
+| [vpc\_private\_subnet\_cidrs](#input\_vpc\_private\_subnet\_cidrs) | A list of private subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no |
+| [vpc\_private\_subnet\_enabled](#input\_vpc\_private\_subnet\_enabled) | Set true to enable private subnets | `bool` | `false` | no |
+| [vpc\_private\_subnets\_counts](#input\_vpc\_private\_subnets\_counts) | List of counts for private subnets | `number` | `1` | no |
+| [vpc\_public\_subnet\_cidrs](#input\_vpc\_public\_subnet\_cidrs) | A list of public subnets CIDR to be created inside the VPC | `list(any)` | `[]` | no |
+| [vpc\_public\_subnet\_enabled](#input\_vpc\_public\_subnet\_enabled) | Set true to enable public subnets | `bool` | `false` | no |
+| [vpc\_public\_subnets\_counts](#input\_vpc\_public\_subnets\_counts) | List of counts for public subnets | `number` | `1` | no |
| [vpc\_s3\_endpoint\_enabled](#input\_vpc\_s3\_endpoint\_enabled) | Set to true if you want to enable vpc S3 endpoints | `bool` | `false` | no |
-| [vpn\_key\_pair\_name](#input\_vpn\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no |
+| [vpn\_gateway\_enabled](#input\_vpn\_gateway\_enabled) | Whether to enable vpn Gateway | `bool` | `false` | no |
| [vpn\_server\_enabled](#input\_vpn\_server\_enabled) | Set to true if you want to deploy VPN Gateway resource and attach it to the VPC | `bool` | `false` | no |
| [vpn\_server\_instance\_type](#input\_vpn\_server\_instance\_type) | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | `string` | `"t3a.small"` | no |
+| [vpn\_server\_key\_pair\_name](#input\_vpn\_server\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no |
## Outputs
| Name | Description |
|------|-------------|
| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra subnets |
-| [ipv6\_vpc\_cidr\_block](#output\_ipv6\_vpc\_cidr\_block) | The IPv6 CIDR block |
-| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | IPV4 CIDR Block for this VPC |
+| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region |
| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
-| [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
-| [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
-| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Address of VPN Server |
+| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | List of IDs of Intra subnets |
+| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | List of IDs of private subnets |
+| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | List of IDs of public subnets |
+| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Adress of VPN Server |
| [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
diff --git a/compliance.md b/compliance.md
old mode 100644
new mode 100755
diff --git a/examples/complete-vpc-with-vpn/README.md b/examples/complete-vpc-with-vpn/README.md
old mode 100644
new mode 100755
index 62cdb53..957e4cd
--- a/examples/complete-vpc-with-vpn/README.md
+++ b/examples/complete-vpc-with-vpn/README.md
@@ -52,12 +52,11 @@ No inputs.
| Name | Description |
|------|-------------|
| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra subnets |
-| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| [region](#output\_region) | AWS Region |
| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | AWS Region |
| [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | List of IDs of Intra subnets |
+| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | List of IDs of private subnets |
+| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | List of IDs of public subnets |
| [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Adress of VPN Server |
| [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf
old mode 100644
new mode 100755
index 0c63112..b69b8d3
--- a/examples/complete-vpc-with-vpn/main.tf
+++ b/examples/complete-vpc-with-vpn/main.tf
@@ -1,42 +1,64 @@
locals {
- name = "vpc"
- region = "ap-south-1"
- environment = "prod"
+ vpc_name = "vpc-test"
+ aws_region = "ap-northeast-1"
+ aws_account_id = "767398031518"
+ environment = "prod"
+ kms_user = null
+ vpc_cidr = "10.10.0.0/16"
+ vpc_availability_zones = ["ap-northeast-1a", "ap-northeast-1c"]
+ kms_deletion_window_in_days = 7
+ enable_key_rotation = false
+ is_enabled = true
+ vpc_flow_log_enabled = false
+ vpn_server_enabled = true
+ vpc_intra_subnet_enabled = true
+ vpc_public_subnet_enabled = true
+ auto_assign_public_ip = true
+ vpc_private_subnet_enabled = true
+ vpc_one_nat_gateway_per_az = true
+ vpc_database_subnet_enabled = true
+ vpc_s3_endpoint_enabled = true
+ vpc_ecr_endpoint_enabled = true
+ vpn_server_instance_type = "t3a.small"
+ vpc_flow_log_cloudwatch_log_group_skip_destroy = false
+ current_identity = data.aws_caller_identity.current.arn
+ multi_region = false
+ vpc_public_subnets_counts = 2
+ vpc_private_subnets_counts = 2
+ vpc_database_subnets_counts = 2
+ vpc_intra_subnets_counts = 2
additional_aws_tags = {
Owner = "Organization_Name"
Expires = "Never"
Department = "Engineering"
}
- kms_user = null
- vpc_cidr = "10.10.0.0/16"
- current_identity = data.aws_caller_identity.current.arn
}
data "aws_caller_identity" "current" {}
module "key_pair_vpn" {
source = "squareops/keypair/aws"
- key_name = format("%s-%s-vpn", local.environment, local.name)
+ key_name = format("%s-%s-vpn", local.environment, local.vpc_name)
environment = local.environment
- ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name)
+ ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name)
}
module "kms" {
source = "terraform-aws-modules/kms/aws"
- deletion_window_in_days = 7
+ deletion_window_in_days = local.kms_deletion_window_in_days
description = "Symetric Key to Enable Encryption at rest using KMS services."
- enable_key_rotation = false
- is_enabled = true
+ enable_key_rotation = local.enable_key_rotation
+ is_enabled = local.is_enabled
key_usage = "ENCRYPT_DECRYPT"
- multi_region = false
+ multi_region = local.multi_region
# Policy
enable_default_policy = true
key_owners = [local.current_identity]
- key_administrators = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
- key_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
- key_service_users = local.kms_user == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+ key_administrators = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+ key_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
+ key_service_users = local.kms_user == null ? ["arn:aws:iam::${local.aws_account_id}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS", local.current_identity] : local.kms_user
key_symmetric_encryption_users = [local.current_identity]
key_hmac_users = [local.current_identity]
key_asymmetric_public_encryption_users = [local.current_identity]
@@ -57,38 +79,45 @@ module "kms" {
principals = [
{
type = "Service"
- identifiers = ["logs.${local.region}.amazonaws.com"]
+ identifiers = ["logs.${local.aws_region}.amazonaws.com"]
}
]
}
]
# Aliases
- aliases = ["${local.name}-KMS"]
+ aliases = ["${local.vpc_name}-KMS"]
aliases_use_name_prefix = true
}
module "vpc" {
- source = "squareops/vpc/aws"
- name = local.name
- region = local.region
- vpc_cidr = local.vpc_cidr
- environment = local.environment
- flow_log_enabled = true
- vpn_key_pair_name = module.key_pair_vpn.key_pair_name
- availability_zones = ["ap-south-1a", "ap-south-1b"]
- vpn_server_enabled = true
- intra_subnet_enabled = true
- public_subnet_enabled = true
- auto_assign_public_ip = true
- private_subnet_enabled = true
- one_nat_gateway_per_az = true
- database_subnet_enabled = true
- vpn_server_instance_type = "t3a.small"
- vpc_s3_endpoint_enabled = true
- vpc_ecr_endpoint_enabled = true
- flow_log_max_aggregation_interval = 60 # In seconds
- flow_log_cloudwatch_log_group_skip_destroy = true
- flow_log_cloudwatch_log_group_retention_in_days = 90
- flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn
-}
\ No newline at end of file
+ source = "../../"
+ name = local.vpc_name
+ aws_region = local.aws_region
+ vpc_cidr = local.vpc_cidr
+ environment = local.environment
+ vpc_flow_log_enabled = local.vpc_flow_log_enabled
+ vpn_server_key_pair_name = module.key_pair_vpn.key_pair_name
+ vpc_availability_zones = local.vpc_availability_zones
+ vpn_server_enabled = local.vpn_server_enabled
+ vpc_intra_subnet_enabled = local.vpc_intra_subnet_enabled
+ vpc_public_subnet_enabled = local.vpc_public_subnet_enabled
+ auto_assign_public_ip = local.auto_assign_public_ip
+ vpc_private_subnet_enabled = local.vpc_private_subnet_enabled
+ vpc_one_nat_gateway_per_az = local.vpc_one_nat_gateway_per_az
+ vpc_database_subnet_enabled = local.vpc_database_subnet_enabled
+ vpn_server_instance_type = local.vpn_server_instance_type
+ vpc_s3_endpoint_enabled = local.vpc_s3_endpoint_enabled
+ vpc_ecr_endpoint_enabled = local.vpc_ecr_endpoint_enabled
+ vpc_flow_log_max_aggregation_interval = 60 # In seconds
+ vpc_flow_log_cloudwatch_log_group_skip_destroy = local.vpc_flow_log_cloudwatch_log_group_skip_destroy
+ vpc_flow_log_cloudwatch_log_group_retention_in_days = 90
+ vpc_flow_log_cloudwatch_log_group_kms_key_arn = module.kms.key_arn #Enter your kms key arn
+ vpc_public_subnets_counts = local.vpc_public_subnets_counts
+ vpc_private_subnets_counts = local.vpc_private_subnets_counts
+ vpc_database_subnets_counts = local.vpc_database_subnets_counts
+ vpc_intra_subnets_counts = local.vpc_intra_subnets_counts
+ vpc_endpoint_type_private_s3 = "Gateway"
+ vpc_endpoint_type_ecr_dkr = "Interface"
+ vpc_endpoint_type_ecr_api = "Interface"
+}
diff --git a/examples/complete-vpc-with-vpn/outputs.tf b/examples/complete-vpc-with-vpn/outputs.tf
old mode 100644
new mode 100755
index f4e210f..3ef89c5
--- a/examples/complete-vpc-with-vpn/outputs.tf
+++ b/examples/complete-vpc-with-vpn/outputs.tf
@@ -1,8 +1,3 @@
-output "region" {
- description = "AWS Region"
- value = local.region
-}
-
output "vpc_id" {
description = "The ID of the VPC"
value = module.vpc.vpc_id
@@ -13,14 +8,14 @@ output "vpc_cidr_block" {
value = module.vpc.vpc_cidr_block
}
-output "public_subnets" {
+output "vpc_public_subnets" {
description = "List of IDs of public subnets"
- value = module.vpc.public_subnets
+ value = module.vpc.vpc_public_subnets
}
-output "private_subnets" {
+output "vpc_private_subnets" {
description = "List of IDs of private subnets"
- value = module.vpc.private_subnets
+ value = module.vpc.vpc_private_subnets
}
output "database_subnets" {
@@ -28,9 +23,9 @@ output "database_subnets" {
value = module.vpc.database_subnets
}
-output "intra_subnets" {
+output "vpc_intra_subnets" {
description = "List of IDs of Intra subnets"
- value = module.vpc.intra_subnets
+ value = module.vpc.vpc_intra_subnets
}
output "vpn_host_public_ip" {
@@ -41,4 +36,4 @@ output "vpn_host_public_ip" {
output "vpn_security_group" {
description = "Security Group ID of VPN Server"
value = module.vpc.vpn_security_group
-}
+}
diff --git a/examples/complete-vpc-with-vpn/providers.tf b/examples/complete-vpc-with-vpn/providers.tf
old mode 100644
new mode 100755
index 2d14d27..7a8138f
--- a/examples/complete-vpc-with-vpn/providers.tf
+++ b/examples/complete-vpc-with-vpn/providers.tf
@@ -1,5 +1,5 @@
provider "aws" {
- region = local.region
+ region = local.aws_region
default_tags {
tags = local.additional_aws_tags
}
diff --git a/examples/ipam-managed-vpc/README.md b/examples/ipam-managed-vpc/README.md
old mode 100644
new mode 100755
diff --git a/examples/ipam-managed-vpc/main.tf b/examples/ipam-managed-vpc/main.tf
old mode 100644
new mode 100755
diff --git a/examples/ipam-managed-vpc/output.tf b/examples/ipam-managed-vpc/output.tf
old mode 100644
new mode 100755
diff --git a/examples/ipam-managed-vpc/providers.tf b/examples/ipam-managed-vpc/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/multi-account-vpc-peering/main.tf b/examples/multi-account-vpc-peering/main.tf
new file mode 100755
index 0000000..870a18a
--- /dev/null
+++ b/examples/multi-account-vpc-peering/main.tf
@@ -0,0 +1,25 @@
+locals {
+ accepter_name = "tenent-peering"
+ accepter_region = "us-east-1"
+ accepter_vpc_id = "vpc-07a2c1d0328341493"
+ requester_name = "management-peering"
+ requester_region = "ap-northeast-1"
+ requester_vpc_id = "vpc-0ce36808b9b133608"
+ additional_tags = {
+ Owner = "tenent"
+ Tenancy = "dedicated"
+ }
+}
+
+module "vpc_peering" {
+ source = "../../modules/vpc_peering"
+ accepter_name = local.accepter_name
+ vpc_peering_accepter_vpc_id = local.accepter_vpc_id
+ vpc_peering_accepter_vpc_region = local.accepter_region
+ requester_name = local.requester_name
+ vpc_peering_requester_vpc_id = local.requester_vpc_id
+ vpc_peering_requester_vpc_region = local.requester_region
+ vpc_peering_multi_account_enabled = true
+ vpc_peering_requester_aws_profile = "peer"
+ vpc_peering_accepter_aws_profile = "accepter"
+}
diff --git a/examples/multi-account-vpc-peering/output.tf b/examples/multi-account-vpc-peering/output.tf
new file mode 100755
index 0000000..a4ae83d
--- /dev/null
+++ b/examples/multi-account-vpc-peering/output.tf
@@ -0,0 +1,9 @@
+output "vpc_peering_connection_id" {
+ description = "Peering connection ID"
+ value = module.vpc_peering.vpc_peering_connection_id
+}
+
+output "vpc_peering_accept_status" {
+ description = "Accept status for the connection"
+ value = module.vpc_peering.vpc_peering_accept_status
+}
diff --git a/examples/multi-account-vpc-peering/provider.tf b/examples/multi-account-vpc-peering/provider.tf
new file mode 100755
index 0000000..110abbb
--- /dev/null
+++ b/examples/multi-account-vpc-peering/provider.tf
@@ -0,0 +1,17 @@
+provider "aws" {
+ alias = "peer"
+ region = "ap-northeast-1"
+ aws_account_id = ""
+ default_tags {
+ tags = local.additional_tags
+ }
+}
+
+provider "aws" {
+ alias = "accepter"
+ region = "ap-northeast-1"
+ aws_account_id = ""
+ default_tags {
+ tags = local.additional_tags
+ }
+}
diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md
old mode 100644
new mode 100755
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
old mode 100644
new mode 100755
diff --git a/examples/simple-vpc/output.tf b/examples/simple-vpc/output.tf
old mode 100644
new mode 100755
diff --git a/examples/simple-vpc/providers.tf b/examples/simple-vpc/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-dualstack/README.md b/examples/vpc-dualstack/README.md
old mode 100644
new mode 100755
diff --git a/examples/vpc-dualstack/main.tf b/examples/vpc-dualstack/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-dualstack/outputs.tf b/examples/vpc-dualstack/outputs.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-dualstack/providers.tf b/examples/vpc-dualstack/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-native-ipv6/README.md b/examples/vpc-native-ipv6/README.md
old mode 100644
new mode 100755
diff --git a/examples/vpc-native-ipv6/main.tf b/examples/vpc-native-ipv6/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-native-ipv6/outputs.tf b/examples/vpc-native-ipv6/outputs.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-native-ipv6/providers.tf b/examples/vpc-native-ipv6/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-peering/README.md b/examples/vpc-with-peering/README.md
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-peering/main.tf b/examples/vpc-with-peering/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-peering/output.tf b/examples/vpc-with-peering/output.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-peering/provider.tf b/examples/vpc-with-peering/provider.tf
old mode 100644
new mode 100755
index 369af88..a60af51
--- a/examples/vpc-with-peering/provider.tf
+++ b/examples/vpc-with-peering/provider.tf
@@ -1,5 +1,5 @@
provider "aws" {
- region = local.region
+ region = local.accepter_region
default_tags {
tags = local.additional_tags
}
diff --git a/examples/vpc-with-peering/vpc-requester-accepter/main.tf b/examples/vpc-with-peering/vpc-requester-accepter/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-peering/vpc-requester-accepter/providers.tf b/examples/vpc-with-peering/vpc-requester-accepter/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-private-subnet/README.md b/examples/vpc-with-private-subnet/README.md
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-private-subnet/main.tf b/examples/vpc-with-private-subnet/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-private-subnet/outputs.tf b/examples/vpc-with-private-subnet/outputs.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-private-subnet/providers.tf b/examples/vpc-with-private-subnet/providers.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-secondary-cidr/README.md b/examples/vpc-with-secondary-cidr/README.md
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-secondary-cidr/main.tf b/examples/vpc-with-secondary-cidr/main.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-secondary-cidr/outputs.tf b/examples/vpc-with-secondary-cidr/outputs.tf
old mode 100644
new mode 100755
diff --git a/examples/vpc-with-secondary-cidr/providers.tf b/examples/vpc-with-secondary-cidr/providers.tf
old mode 100644
new mode 100755
diff --git a/main.tf b/main.tf
old mode 100644
new mode 100755
index 48942c0..ad36017
--- a/main.tf
+++ b/main.tf
@@ -1,36 +1,43 @@
locals {
- azs = length(var.availability_zones)
- public_subnets_native = var.public_subnet_enabled ? length(var.public_subnet_cidrs) > 0 ? var.public_subnet_cidrs : [for netnum in range(0, local.azs) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
- secondary_public_subnets = var.public_subnet_enabled && var.secondry_cidr_enabled ? [
+ azs = length(var.vpc_availability_zones)
+ # public subnets cidr
+ public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+ secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [
for cidr_block in var.secondary_cidr_blocks : [
- for netnum in range(0, local.azs) : cidrsubnet(cidr_block, 8, netnum)
+ for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(cidr_block, 8, netnum)
]
] : []
- public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets))
- intra_subnets_native = var.intra_subnet_enabled ? length(var.intra_subnet_cidrs) > 0 ? var.intra_subnet_cidrs : [for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
- secondary_intra_subnets = var.intra_subnet_enabled && var.secondry_cidr_enabled ? [
+ vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets))
+
+ # intra subnets cidr
+ intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 4, netnum)] : []
+ secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [
for cidr_block in var.secondary_cidr_blocks : [
- for netnum in range(local.azs * 3, local.azs * 4) : cidrsubnet(cidr_block, 8, netnum)
+ for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(cidr_block, 8, netnum)
]
] : []
- intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets))
- private_subnets_native = var.private_subnet_enabled ? length(var.private_subnet_cidrs) > 0 ? var.private_subnet_cidrs : [for netnum in range(local.azs, local.azs * 2) : cidrsubnet(var.vpc_cidr, 4, netnum)] : []
- secondary_private_subnets = var.private_subnet_enabled && var.secondry_cidr_enabled ? [
+ vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets))
+
+ # private subnets cidr
+ private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(var.vpc_private_subnets_counts * 4, var.vpc_private_subnets_counts * 5) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+ secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [
for cidr_block in var.secondary_cidr_blocks : [
- for netnum in range(local.azs, local.azs * 2) : cidrsubnet(cidr_block, 4, netnum)
+ for netnum in range(var.vpc_private_subnets_counts, var.vpc_private_subnets_counts * 2) : cidrsubnet(cidr_block, 4, netnum)
]
] : []
- private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets))
- database_subnets_native = var.database_subnet_enabled ? length(var.database_subnet_cidrs) > 0 ? var.database_subnet_cidrs : [for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
- secondary_database_subnets = var.database_subnet_enabled && var.secondry_cidr_enabled ? [
+ vpc_private_subnets = concat(local.private_subnets_native, flatten(local.secondary_private_subnets))
+
+ # database subnets cidr
+ database_subnets_native = var.vpc_database_subnet_enabled ? length(var.vpc_database_subnet_cidrs) > 0 ? var.vpc_database_subnet_cidrs : [for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
+ secondary_database_subnets = var.vpc_database_subnet_enabled && var.secondry_cidr_enabled ? [
for cidr_block in var.secondary_cidr_blocks : [
- for netnum in range(local.azs * 2, local.azs * 3) : cidrsubnet(cidr_block, 8, netnum)
+ for netnum in range(var.vpc_database_subnets_counts * 2, var.vpc_database_subnets_counts * 3) : cidrsubnet(cidr_block, 8, netnum)
]
] : []
- database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets))
- single_nat_gateway = var.one_nat_gateway_per_az == true ? false : true
- create_database_subnet_route_table = var.database_subnet_enabled
- create_flow_log_cloudwatch_log_group = var.flow_log_enabled == true || var.flow_log_cloudwatch_log_group_skip_destroy == true ? true : false
+ vpc_database_subnets = concat(local.database_subnets_native, flatten(local.secondary_database_subnets))
+ vpc_single_nat_gateway = var.vpc_one_nat_gateway_per_az == true ? false : true
+ create_database_subnet_route_table = var.vpc_database_subnet_enabled
+ create_flow_log_cloudwatch_log_group = var.vpc_flow_log_enabled == true || var.vpc_flow_log_cloudwatch_log_group_skip_destroy == true ? true : false
is_supported_arch = data.aws_ec2_instance_type.arch.supported_architectures[0] == "arm64" ? false : true # for VPN Instance
nacl_allow_vpc_access_rule = [{
rule_no = 97
@@ -49,53 +56,52 @@ locals {
database_subnet_assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false
intra_subnet_assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == true && var.ipv6_enabled == true ? true : false
- public_subnet_ipv6_prefixes = var.public_subnet_enabled ? [for i in range(local.azs) : i] : []
- private_subnet_ipv6_prefixes = var.private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : []
- database_subnet_ipv6_prefixes = var.database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : []
- intra_subnet_ipv6_prefixes = var.intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : []
+ public_subnet_ipv6_prefixes = var.vpc_public_subnet_enabled ? [for i in range(local.azs) : i] : []
+ private_subnet_ipv6_prefixes = var.vpc_private_subnet_enabled ? [for i in range(local.azs) : i + length(data.aws_availability_zones.available.names)] : []
+ database_subnet_ipv6_prefixes = var.vpc_database_subnet_enabled ? [for i in range(local.azs) : i + 2 * length(data.aws_availability_zones.available.names)] : []
+ intra_subnet_ipv6_prefixes = var.vpc_intra_subnet_enabled ? [for i in range(local.azs) : i + 3 * length(data.aws_availability_zones.available.names)] : []
}
data "aws_availability_zones" "available" {}
data "aws_ec2_instance_type" "arch" {
instance_type = var.vpn_server_instance_type
}
-
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.2.0"
name = format("%s-%s-vpc", var.environment, var.name)
cidr = var.vpc_cidr # CIDR FOR VPC
- azs = var.availability_zones
+ azs = var.vpc_availability_zones
use_ipam_pool = var.ipam_enabled ? true : false
- ipv4_ipam_pool_id = var.ipam_enabled && var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : null
+ ipv4_ipam_pool_id = var.ipam_enabled && var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : null
ipv4_netmask_length = var.ipam_enabled ? var.ipv4_netmask_length : null
- create_database_subnet_group = length(local.database_subnets) > 1 && var.enable_database_subnet_group ? true : false
- intra_subnets = local.intra_subnets
- public_subnets = local.public_subnets
- private_subnets = local.private_subnets
- database_subnets = local.database_subnets
- enable_flow_log = var.flow_log_enabled
- enable_nat_gateway = length(local.private_subnets) > 0 && !var.ipv6_only ? true : false
- single_nat_gateway = local.single_nat_gateway
- enable_vpn_gateway = false
- enable_dns_hostnames = true
- flow_log_traffic_type = "ALL"
+ create_database_subnet_group = length(local.vpc_database_subnets) > 1 && var.database_subnet_group_enabled ? true : false
+ intra_subnets = local.vpc_intra_subnets
+ public_subnets = local.vpc_public_subnets
+ private_subnets = local.vpc_private_subnets
+ database_subnets = local.vpc_database_subnets
+ enable_flow_log = var.vpc_flow_log_enabled
+ enable_nat_gateway = length(local.vpc_private_subnets) > 0 && !var.ipv6_only ? true : false
+ single_nat_gateway = local.vpc_single_nat_gateway
+ enable_vpn_gateway = var.vpn_gateway_enabled
+ enable_dns_hostnames = var.dns_hostnames_enabled
+ flow_log_traffic_type = var.vpc_flow_log_traffic_type
secondary_cidr_blocks = var.secondry_cidr_enabled ? var.secondary_cidr_blocks : []
- one_nat_gateway_per_az = var.one_nat_gateway_per_az
+ one_nat_gateway_per_az = var.vpc_one_nat_gateway_per_az
map_public_ip_on_launch = var.auto_assign_public_ip
- flow_log_destination_type = "cloud-watch-logs"
- manage_default_network_acl = true
+ flow_log_destination_type = var.vpc_flow_log_destination_type
+ manage_default_network_acl = var.vpc_manage_default_network_acl
default_network_acl_ingress = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress)
- manage_default_security_group = true
- default_security_group_ingress = [] # Enforcing no rules being present in the default security group.
- default_security_group_egress = []
- create_database_nat_gateway_route = false
+ manage_default_security_group = var.manage_vpc_default_security_group
+ default_security_group_ingress = var.vpc_default_security_group_ingress # Enforcing no rules being present in the default security group.
+ default_security_group_egress = var.vpc_default_security_group_egress
+ create_database_nat_gateway_route = var.database_nat_gateway_route_enabled
create_database_subnet_route_table = local.create_database_subnet_route_table
- create_flow_log_cloudwatch_iam_role = var.flow_log_enabled
+ create_flow_log_cloudwatch_iam_role = var.vpc_flow_log_enabled
create_flow_log_cloudwatch_log_group = local.create_flow_log_cloudwatch_log_group
- flow_log_max_aggregation_interval = var.flow_log_max_aggregation_interval
- flow_log_cloudwatch_log_group_skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy
- flow_log_cloudwatch_log_group_retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
- flow_log_cloudwatch_log_group_kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_arn
+ flow_log_max_aggregation_interval = var.vpc_flow_log_max_aggregation_interval
+ flow_log_cloudwatch_log_group_skip_destroy = var.vpc_flow_log_cloudwatch_log_group_skip_destroy
+ flow_log_cloudwatch_log_group_retention_in_days = var.vpc_flow_log_cloudwatch_log_group_retention_in_days
+ flow_log_cloudwatch_log_group_kms_key_id = var.vpc_flow_log_cloudwatch_log_group_kms_key_arn
enable_ipv6 = local.enable_ipv6
public_subnet_ipv6_native = local.ipv6_only
private_subnet_ipv6_native = local.ipv6_only
@@ -182,36 +188,32 @@ module "vpn_server" {
vpc_id = module.vpc.vpc_id
vpc_cidr = var.vpc_cidr
environment = var.environment
- vpn_key_pair = var.vpn_key_pair_name
- public_subnet = module.vpc.public_subnets[0]
+ vpn_key_pair_name = var.vpn_server_key_pair_name
+ public_subnet_ids = module.vpc.public_subnets[0]
vpn_server_instance_type = var.vpn_server_instance_type
}
resource "aws_vpc_ipam" "ipam" {
- count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
+ count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0
operating_regions {
- region_name = var.region
+ region_name = var.aws_region
}
-
-
}
# IPv4
resource "aws_vpc_ipam_pool" "ipam_pool" {
- count = var.ipam_enabled && var.create_ipam_pool ? 1 : 0
+ count = var.ipam_enabled && var.ipam_pool_enabled ? 1 : 0
description = "IPv4 pool"
- address_family = "ipv4"
+ address_family = var.ipam_address_family
ipam_scope_id = aws_vpc_ipam.ipam[0].private_default_scope_id
- locale = var.region
+ locale = var.aws_region
allocation_default_netmask_length = 16
-
-
}
resource "aws_vpc_ipam_pool_cidr" "ipam_pool_cidr" {
count = var.ipam_enabled ? 1 : 0
- ipam_pool_id = var.create_ipam_pool ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id
- cidr = var.create_ipam_pool ? var.vpc_cidr : var.existing_ipam_managed_cidr
+ ipam_pool_id = var.ipam_pool_enabled ? aws_vpc_ipam_pool.ipam_pool[0].id : var.ipam_pool_id
+ cidr = var.ipam_pool_enabled ? var.vpc_cidr : var.existing_ipam_managed_cidr
}
# private links for S3
@@ -225,13 +227,13 @@ data "aws_route_tables" "aws_private_routes" {
}
}
-resource "aws_vpc_endpoint" "private-s3" {
+resource "aws_vpc_endpoint" "private_s3" {
count = var.vpc_s3_endpoint_enabled ? 1 : 0
depends_on = [data.aws_route_tables.aws_private_routes]
vpc_id = module.vpc.vpc_id
- service_name = "com.amazonaws.${var.region}.s3"
+ service_name = "com.amazonaws.${var.aws_region}.s3"
route_table_ids = data.aws_route_tables.aws_private_routes[0].ids
- vpc_endpoint_type = "Gateway"
+ vpc_endpoint_type = var.vpc_endpoint_type_private_s3
policy = < [accepter\_name](#input\_accepter\_name) | Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection. | `string` | `""` | no |
-| [accepter\_vpc\_id](#input\_accepter\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no |
-| [accepter\_vpc\_region](#input\_accepter\_vpc\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no |
-| [peering\_enabled](#input\_peering\_enabled) | Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process. | `bool` | `true` | no |
-| [requester\_name](#input\_requester\_name) | Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection. | `string` | `""` | no |
-| [requester\_vpc\_id](#input\_requester\_vpc\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no |
-| [requester\_vpc\_region](#input\_requester\_vpc\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no |
+| [vpc\_peering\_accepter\_aws\_profile](#input\_vpc\_peering\_accepter\_aws\_profile) | Provide the AWS profile where the accepter VPC is located. | `string` | `""` | no |
+| [vpc\_peering\_accepter\_id](#input\_vpc\_peering\_accepter\_id) | Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection. | `string` | `""` | no |
+| [vpc\_peering\_accepter\_name](#input\_vpc\_peering\_accepter\_name) | Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection. | `string` | `""` | no |
+| [vpc\_peering\_accepter\_region](#input\_vpc\_peering\_accepter\_region) | Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection. | `string` | `""` | no |
+| [vpc\_peering\_enabled](#input\_vpc\_peering\_enabled) | Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process. | `bool` | `true` | no |
+| [vpc\_peering\_multi\_account\_enabled](#input\_vpc\_peering\_multi\_account\_enabled) | Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process. | `bool` | `true` | no |
+| [vpc\_peering\_requester\_aws\_profile](#input\_vpc\_peering\_requester\_aws\_profile) | Provide the AWS profile where the requester VPC is located. | `string` | `""` | no |
+| [vpc\_peering\_requester\_id](#input\_vpc\_peering\_requester\_id) | Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection. | `string` | `""` | no |
+| [vpc\_peering\_requester\_name](#input\_vpc\_peering\_requester\_name) | Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection. | `string` | `""` | no |
+| [vpc\_peering\_requester\_region](#input\_vpc\_peering\_requester\_region) | Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering. | `string` | `""` | no |
## Outputs
diff --git a/modules/vpc_peering/main.tf b/modules/vpc_peering/main.tf
old mode 100644
new mode 100755
index 533721f..2387a42
--- a/modules/vpc_peering/main.tf
+++ b/modules/vpc_peering/main.tf
@@ -1,63 +1,70 @@
locals {
- requester_route_tables_ids = data.aws_route_tables.requester.ids
- accepter_route_tables_ids = data.aws_route_tables.accepter.ids
+ vpc_peering_requester_route_tables_ids = data.aws_route_tables.requester.ids
+ vpc_peering_accepter_route_tables_ids = data.aws_route_tables.accepter.ids
}
provider "aws" {
- alias = "peer"
- region = var.requester_vpc_region
+ alias = "peer"
+ region = var.vpc_peering_requester_region
+ profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_requester_aws_profile : "default"
}
provider "aws" {
- alias = "accepter"
- region = var.accepter_vpc_region
+ alias = "accepter"
+ region = var.vpc_peering_accepter_region
+ profile = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_aws_profile : "default"
}
data "aws_vpc" "accepter" {
- id = var.accepter_vpc_id
+ id = var.vpc_peering_accepter_id
provider = aws.accepter
}
data "aws_route_tables" "accepter" {
- vpc_id = var.accepter_vpc_id
+ vpc_id = var.vpc_peering_accepter_id
provider = aws.accepter
}
data "aws_vpc" "requester" {
- id = var.requester_vpc_id
+ id = var.vpc_peering_requester_id
provider = aws.peer
}
data "aws_route_tables" "requester" {
- vpc_id = var.requester_vpc_id
+ vpc_id = var.vpc_peering_requester_id
provider = aws.peer
}
+data "aws_caller_identity" "accepter" {
+ provider = aws.accepter
+}
+
resource "aws_vpc_peering_connection" "this" {
- count = var.peering_enabled ? 1 : 0
- vpc_id = var.requester_vpc_id
- peer_vpc_id = var.accepter_vpc_id
- peer_region = var.accepter_vpc_region
- auto_accept = false
- provider = aws.peer
+ count = var.vpc_peering_enabled ? 1 : 0
+ vpc_id = var.vpc_peering_requester_id
+ peer_vpc_id = var.vpc_peering_accepter_id
+ peer_region = var.vpc_peering_multi_account_enabled ? var.vpc_peering_accepter_region : null
+ auto_accept = false
+ peer_owner_id = var.vpc_peering_multi_account_enabled ? data.aws_caller_identity.accepter.id : null
+ provider = aws.peer
tags = {
- Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name)
+ Name = format("%s-%s-%s", var.vpc_peering_requester_name, "to", var.vpc_peering_accepter_name)
}
}
resource "aws_vpc_peering_connection_accepter" "this" {
- count = var.peering_enabled ? 1 : 0
+ count = var.vpc_peering_enabled ? 1 : 0
depends_on = [aws_vpc_peering_connection.this]
provider = aws.accepter
vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id
auto_accept = true
tags = {
- Name = format("%s-%s-%s", var.requester_name, "to", var.accepter_name)
+ Name = format("%s-%s-%s", var.vpc_peering_requester_name, "to", var.vpc_peering_accepter_name)
}
}
resource "aws_vpc_peering_connection_options" "this" {
- count = var.peering_enabled ? 1 : 0
+ count = var.vpc_peering_enabled ? 1 : 0
depends_on = [aws_vpc_peering_connection_accepter.this]
vpc_peering_connection_id = aws_vpc_peering_connection.this[0].id
accepter {
@@ -70,17 +77,17 @@ resource "aws_vpc_peering_connection_options" "this" {
#### route tables ####
resource "aws_route" "requester" {
- count = var.peering_enabled ? length(local.requester_route_tables_ids) : 0
- route_table_id = local.requester_route_tables_ids[count.index]
+ count = var.vpc_peering_enabled ? length(local.vpc_peering_requester_route_tables_ids) : 0
+ route_table_id = local.vpc_peering_requester_route_tables_ids[count.index]
destination_cidr_block = data.aws_vpc.accepter.cidr_block
- vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+ vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
provider = aws.peer
}
resource "aws_route" "accepter" {
- count = var.peering_enabled ? length(local.accepter_route_tables_ids) : 0
- route_table_id = local.accepter_route_tables_ids[count.index]
+ count = var.vpc_peering_enabled ? length(local.vpc_peering_accepter_route_tables_ids) : 0
+ route_table_id = local.vpc_peering_accepter_route_tables_ids[count.index]
destination_cidr_block = data.aws_vpc.requester.cidr_block
- vpc_peering_connection_id = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+ vpc_peering_connection_id = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
provider = aws.accepter
}
diff --git a/modules/vpc_peering/outputs.tf b/modules/vpc_peering/outputs.tf
old mode 100644
new mode 100755
index 1d8a27a..1381a64
--- a/modules/vpc_peering/outputs.tf
+++ b/modules/vpc_peering/outputs.tf
@@ -1,9 +1,9 @@
output "vpc_peering_connection_id" {
description = "Peering connection ID"
- value = var.peering_enabled ? aws_vpc_peering_connection.this[0].id : null
+ value = var.vpc_peering_enabled ? aws_vpc_peering_connection.this[0].id : null
}
output "vpc_peering_accept_status" {
description = "Status for the connection"
- value = var.peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null
-}
+ value = var.vpc_peering_enabled ? aws_vpc_peering_connection_accepter.this[0].accept_status : null
+}
diff --git a/modules/vpc_peering/variables.tf b/modules/vpc_peering/variables.tf
old mode 100644
new mode 100755
index 9865a10..b3424f8
--- a/modules/vpc_peering/variables.tf
+++ b/modules/vpc_peering/variables.tf
@@ -1,41 +1,59 @@
-variable "accepter_vpc_id" {
+variable "vpc_peering_accepter_id" {
type = string
description = "Specify the unique identifier of the VPC that will act as the Acceptor in the VPC peering connection."
default = ""
}
-variable "accepter_vpc_region" {
+variable "vpc_peering_accepter_region" {
type = string
description = "Provide the AWS region where the Acceptor VPC is located. This helps in identifying the correct region for establishing the VPC peering connection."
default = ""
}
-variable "requester_vpc_id" {
+variable "vpc_peering_requester_id" {
type = string
description = "Specify the unique identifier of the VPC that will act as the Reqester in the VPC peering connection."
default = ""
}
-variable "requester_vpc_region" {
+variable "vpc_peering_requester_region" {
type = string
description = "Specify the AWS region where the Requester VPC resides. It ensures the correct region is used for setting up the VPC peering."
default = ""
}
-variable "requester_name" {
+variable "vpc_peering_requester_name" {
type = string
description = "Provide a descriptive name or label for the VPC Requester. This helps identify and differentiate the Requester VPC in the peering connection."
default = ""
}
-variable "accepter_name" {
+variable "vpc_peering_accepter_name" {
type = string
description = "Assign a meaningful name or label to the VPC Accepter. This aids in distinguishing the Accepter VPC within the VPC peering connection."
default = ""
}
-variable "peering_enabled" {
+variable "vpc_peering_enabled" {
type = bool
description = "Set this variable to true if you want to create the VPC peering connection. Set it to false if you want to skip the creation process."
default = true
}
+
+variable "vpc_peering_multi_account_enabled" {
+ type = bool
+ description = "Set this variable to true if you want to create the VPC peering connection between reagions. Set it to false if you want to skip the creation process."
+ default = true
+}
+
+variable "vpc_peering_requester_aws_profile" {
+ type = string
+ description = "Provide the AWS profile where the requester VPC is located."
+ default = ""
+}
+
+variable "vpc_peering_accepter_aws_profile" {
+ type = string
+ description = "Provide the AWS profile where the accepter VPC is located."
+ default = ""
+}
diff --git a/modules/vpc_peering/versions.tf b/modules/vpc_peering/versions.tf
old mode 100644
new mode 100755
diff --git a/modules/vpn/README.md b/modules/vpn/README.md
old mode 100644
new mode 100755
index bf0d988..8a3e54f
--- a/modules/vpn/README.md
+++ b/modules/vpn/README.md
@@ -33,38 +33,38 @@ Refer [this](https://pritunl.com/) for more information.
| Name | Source | Version |
|------|--------|---------|
-| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 4.13.0 |
-| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 4.1.4 |
+| [security\_group\_vpn](#module\_security\_group\_vpn) | terraform-aws-modules/security-group/aws | 5.1.0 |
+| [vpn\_server](#module\_vpn\_server) | terraform-aws-modules/ec2-instance/aws | 5.6.0 |
## Resources
| Name | Type |
|------|------|
| [aws_eip.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
-| [aws_iam_instance_profile.vpn_SSM](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_instance_profile.vpn_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_role.vpn_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.SSMManagedInstanceCore_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.SecretsManagerReadWrite_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_ssm_association.ssm_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_association) | resource |
-| [aws_ssm_document.ssm_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource |
-| [null_resource.delete_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
-| [time_sleep.wait_3_min](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [aws_ssm_association.vpn_ssm_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_association) | resource |
+| [aws_ssm_document.vpn_ssm_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document) | resource |
+| [null_resource.vpn_delete_secret](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.vpn_wait_3_min](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
| [aws_ami.ubuntu_20_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
| [aws_iam_policy.SSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_iam_policy.SecretsManagerReadWrite](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [template_file.pritunl](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [aws\_region](#input\_aws\_region) | Name of the AWS region where S3 bucket is to be created. | `string` | `""` | no |
| [environment](#input\_environment) | Specify the environment indentifier for the VPC | `string` | `""` | no |
| [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
-| [public\_subnet](#input\_public\_subnet) | The VPC Subnet ID to launch in | `string` | `""` | no |
+| [public\_subnet\_ids](#input\_public\_subnet\_ids) | The VPC Subnet ID to launch in | `string` | `""` | no |
| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block of the Default VPC | `string` | `"10.0.0.0/16"` | no |
| [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | `""` | no |
-| [vpn\_key\_pair](#input\_vpn\_key\_pair) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no |
+| [vpn\_key\_pair\_name](#input\_vpn\_key\_pair\_name) | Specify the name of AWS Keypair to be used for VPN Server | `string` | `""` | no |
| [vpn\_server\_instance\_type](#input\_vpn\_server\_instance\_type) | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | `string` | `"t3a.small"` | no |
## Outputs
diff --git a/modules/vpn/main.tf b/modules/vpn/main.tf
old mode 100644
new mode 100755
index 473138e..813d7fd
--- a/modules/vpn/main.tf
+++ b/modules/vpn/main.tf
@@ -5,7 +5,7 @@ resource "aws_eip" "vpn" {
module "security_group_vpn" {
source = "terraform-aws-modules/security-group/aws"
- version = "4.13.0"
+ version = "5.1.0"
create = true
name = format("%s-%s-%s", var.environment, var.name, "vpn-sg")
description = "vpn server security group"
@@ -79,20 +79,18 @@ data "template_file" "pritunl" {
template = file("${path.module}/scripts/pritunl-vpn.sh")
}
-data "aws_region" "current" {}
-
module "vpn_server" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "4.1.4"
+ version = "5.6.0"
name = format("%s-%s-%s", var.environment, var.name, "vpn-ec2-instance")
ami = data.aws_ami.ubuntu_20_ami.image_id
instance_type = var.vpn_server_instance_type
- subnet_id = var.public_subnet
- key_name = var.vpn_key_pair
+ subnet_id = var.public_subnet_ids
+ key_name = var.vpn_key_pair_name
associate_public_ip_address = true
vpc_security_group_ids = [module.security_group_vpn.security_group_id]
user_data = join("", data.template_file.pritunl[*].rendered)
- iam_instance_profile = join("", aws_iam_instance_profile.vpn_SSM[*].name)
+ iam_instance_profile = join("", aws_iam_instance_profile.vpn_ssm[*].name)
root_block_device = [
@@ -141,12 +139,12 @@ resource "aws_iam_role_policy_attachment" "SSMManagedInstanceCore_attachment" {
policy_arn = data.aws_iam_policy.SSMManagedInstanceCore.arn
}
-resource "aws_iam_instance_profile" "vpn_SSM" {
+resource "aws_iam_instance_profile" "vpn_ssm" {
name = format("%s-%s-%s", var.environment, var.name, "vpnEC2InstanceProfile")
role = join("", aws_iam_role.vpn_role[*].name)
}
-resource "time_sleep" "wait_3_min" {
+resource "time_sleep" "vpn_wait_3_min" {
depends_on = [module.vpn_server]
create_duration = "3m"
}
@@ -160,18 +158,18 @@ resource "aws_iam_role_policy_attachment" "SecretsManagerReadWrite_attachment" {
policy_arn = data.aws_iam_policy.SecretsManagerReadWrite.arn
}
-resource "aws_ssm_association" "ssm_association" {
- name = aws_ssm_document.ssm_document.name
- depends_on = [time_sleep.wait_3_min]
+resource "aws_ssm_association" "vpn_ssm_association" {
+ name = aws_ssm_document.vpn_ssm_document.name
+ depends_on = [time_sleep.vpn_wait_3_min]
targets {
key = "InstanceIds"
values = [module.vpn_server.id]
}
}
-resource "aws_ssm_document" "ssm_document" {
+resource "aws_ssm_document" "vpn_ssm_document" {
name = format("%s-%s-%s", var.environment, var.name, "ssm_document_create_secret")
- depends_on = [time_sleep.wait_3_min]
+ depends_on = [time_sleep.vpn_wait_3_min]
document_type = "Command"
content = < 0 ? module.vpc.public_subnets : null
-}
-
-output "private_subnets" {
- description = "List of IDs of private subnets"
- value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null
-}
-
-output "database_subnets" {
- description = "List of IDs of database subnets"
- value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null
-}
-
-output "intra_subnets" {
- description = "List of IDs of Intra subnets"
- value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null
-
-}
-
-output "vpn_host_public_ip" {
- description = "IP Address of VPN Server"
- value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null
-}
-
-output "vpn_security_group" {
- description = "Security Group ID of VPN Server"
- value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null
-}
-
-output "vpc_ipv6_association_id" {
- description = "The association ID for the IPv6 CIDR block"
- value = module.vpc.vpc_ipv6_association_id
-}
-
-output "ipv6_vpc_cidr_block" {
- description = "The IPv6 CIDR block"
- value = module.vpc.vpc_ipv6_cidr_block
-}
-
-output "vpc_secondary_cidr_blocks" {
- description = "List of secondary CIDR blocks of the VPC"
- value = module.vpc.vpc_secondary_cidr_blocks
-}
+output "vpc_id" {
+ description = "The ID of the VPC"
+ value = module.vpc.vpc_id
+}
+
+output "vpc_cidr_block" {
+ description = "AWS Region"
+ value = module.vpc.vpc_cidr_block
+}
+
+output "vpc_public_subnets" {
+ description = "List of IDs of public subnets"
+ value = length(module.vpc.public_subnets) > 0 ? module.vpc.public_subnets : null
+}
+
+output "vpc_private_subnets" {
+ description = "List of IDs of private subnets"
+ value = length(module.vpc.private_subnets) > 0 ? module.vpc.private_subnets : null
+}
+
+output "database_subnets" {
+ description = "List of IDs of database subnets"
+ value = length(module.vpc.database_subnets) > 0 ? module.vpc.database_subnets : null
+}
+
+output "vpc_intra_subnets" {
+ description = "List of IDs of Intra subnets"
+ value = length(module.vpc.intra_subnets) > 0 ? module.vpc.intra_subnets : null
+}
+
+output "vpn_host_public_ip" {
+ description = "IP Adress of VPN Server"
+ value = var.vpn_server_enabled ? module.vpn_server[0].vpn_host_public_ip : null
+}
+
+output "vpn_security_group" {
+ description = "Security Group ID of VPN Server"
+ value = var.vpn_server_enabled ? module.vpn_server[0].vpn_security_group : null
+}
diff --git a/tfsec.yaml b/tfsec.yaml
old mode 100644
new mode 100755
diff --git a/variables.tf b/variables.tf
old mode 100644
new mode 100755
index ca9a7a5..c5a4ef2
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,33 @@
+
+variable "additional_aws_tags" {
+ description = "Additional tags to be applied to AWS resources"
+ type = map(string)
+ default = {}
+}
+
+variable "additional_tags" {
+ description = "Additional tags to be applied to AWS resources"
+ type = map(string)
+ default = {
+ Owner = "organization_name"
+ Expires = "Never"
+ Department = "Engineering"
+ }
+
+}
+
+variable "aws_region" {
+ description = "Name of the AWS region where VPC is to be created."
+ default = ""
+ type = string
+}
+
+variable "aws_account_id" {
+ description = "Account ID of the AWS Account."
+ default = "1234567890"
+ type = string
+}
+
variable "environment" {
description = "Specify the environment indentifier for the VPC"
type = string
@@ -8,7 +38,6 @@ variable "name" {
description = "Specify the name of the VPC"
type = string
default = ""
-
}
variable "vpc_cidr" {
@@ -17,55 +46,55 @@ variable "vpc_cidr" {
type = string
}
-variable "availability_zones" {
- description = "Number of Availability Zone to be used by VPC Subnets"
+variable "vpc_availability_zones" {
+ description = "Number of Availability Zone to be used by VPC Subnets."
default = []
type = list(any)
}
-variable "public_subnet_enabled" {
+variable "vpc_public_subnet_enabled" {
description = "Set true to enable public subnets"
default = false
type = bool
}
-variable "public_subnet_cidrs" {
+variable "vpc_public_subnet_cidrs" {
description = "A list of public subnets CIDR to be created inside the VPC"
default = []
type = list(any)
}
-variable "private_subnet_enabled" {
+variable "vpc_private_subnet_enabled" {
description = "Set true to enable private subnets"
default = false
type = bool
}
-variable "private_subnet_cidrs" {
+variable "vpc_private_subnet_cidrs" {
description = "A list of private subnets CIDR to be created inside the VPC"
default = []
type = list(any)
}
-variable "database_subnet_enabled" {
+variable "vpc_database_subnet_enabled" {
description = "Set true to enable database subnets"
default = false
type = bool
}
-variable "database_subnet_cidrs" {
+variable "vpc_database_subnet_cidrs" {
description = "Database Tier subnet CIDRs to be created"
default = []
type = list(any)
}
-variable "intra_subnet_enabled" {
+variable "vpc_intra_subnet_enabled" {
description = "Set true to enable intra subnets"
default = false
type = bool
}
-variable "intra_subnet_cidrs" {
+variable "vpc_intra_subnet_cidrs" {
description = "A list of intra subnets CIDR to be created"
default = []
type = list(any)
@@ -83,7 +112,7 @@ variable "vpn_server_instance_type" {
type = string
}
-variable "vpn_key_pair_name" {
+variable "vpn_server_key_pair_name" {
description = "Specify the name of AWS Keypair to be used for VPN Server"
default = ""
type = string
@@ -129,25 +158,25 @@ variable "default_network_acl_ingress" {
]
}
-variable "one_nat_gateway_per_az" {
+variable "vpc_one_nat_gateway_per_az" {
description = "Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier"
default = false
type = bool
}
-variable "flow_log_enabled" {
+variable "vpc_flow_log_enabled" {
description = "Whether or not to enable VPC Flow Logs"
type = bool
default = false
}
-variable "flow_log_cloudwatch_log_group_retention_in_days" {
+variable "vpc_flow_log_cloudwatch_log_group_retention_in_days" {
description = "Specifies the number of days you want to retain log events in the specified log group for VPC flow logs."
type = number
default = null
}
-variable "flow_log_max_aggregation_interval" {
+variable "vpc_flow_log_max_aggregation_interval" {
description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds."
type = number
default = 60
@@ -159,7 +188,6 @@ variable "auto_assign_public_ip" {
default = false
}
-
variable "ipv6_enabled" {
description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block."
type = bool
@@ -178,21 +206,19 @@ variable "public_subnet_assign_ipv6_address_on_creation" {
default = null
}
-
variable "database_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
default = null
}
-
variable "intra_subnet_assign_ipv6_address_on_creation" {
description = "Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch"
type = bool
default = null
}
-variable "flow_log_cloudwatch_log_group_kms_key_arn" {
+variable "vpc_flow_log_cloudwatch_log_group_kms_key_arn" {
description = "The ARN of the KMS Key to use when encrypting log data for VPC flow logs"
type = string
default = null
@@ -216,18 +242,12 @@ variable "secondry_cidr_enabled" {
type = bool
}
-variable "enable_database_subnet_group" {
+variable "database_subnet_group_enabled" {
description = "Whether create database subnet groups"
default = false
type = bool
}
-# variable "tags" {
-# description = "The Tags attached with the resources"
-# default = {}
-# type = any
-# }
-
variable "ipam_pool_id" {
description = "The existing IPAM pool id if any"
default = null
@@ -240,7 +260,7 @@ variable "ipam_enabled" {
type = bool
}
-variable "create_ipam_pool" {
+variable "ipam_pool_enabled" {
description = "Whether create new IPAM pool"
default = true
type = bool
@@ -252,19 +272,13 @@ variable "ipv4_netmask_length" {
type = number
}
-variable "region" {
- description = "The AWS region name"
- type = string
- default = null
-}
-
variable "existing_ipam_managed_cidr" {
description = "The existing IPAM pool CIDR"
default = ""
type = string
}
-variable "flow_log_cloudwatch_log_group_skip_destroy" {
+variable "vpc_flow_log_cloudwatch_log_group_skip_destroy" {
description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state"
type = bool
default = false
@@ -281,3 +295,111 @@ variable "vpc_ecr_endpoint_enabled" {
type = bool
default = false
}
+
+variable "vpn_gateway_enabled" {
+ description = "Whether to enable vpn Gateway"
+ type = bool
+ default = false
+}
+
+variable "dns_hostnames_enabled" {
+ description = "Whether to enable DNS hostnames"
+ type = bool
+ default = true
+}
+
+variable "vpc_manage_default_network_acl" {
+ description = "Should be true to manage Default Network ACL"
+ type = bool
+ default = true
+}
+
+variable "vpc_flow_log_traffic_type" {
+ description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
+ type = string
+ default = "ALL"
+}
+
+variable "vpc_flow_log_destination_type" {
+ description = "Type of flow log destination. Can be s3 or cloud-watch-logs"
+ type = string
+ default = "cloud-watch-logs"
+}
+
+variable "manage_vpc_default_security_group" {
+ description = "Should be true to manage Default Security group of vpc"
+ type = bool
+ default = true
+}
+
+variable "database_nat_gateway_route_enabled" {
+ description = "Nat Gateway route to be created for internet access to database subnets"
+ type = bool
+ default = false
+}
+
+variable "vpc_endpoint_type_ecr_api" {
+ description = "The type of VPC endpoint for ECR api"
+ type = string
+ default = "Interface"
+}
+
+variable "vpc_endpoint_type_ecr_dkr" {
+ description = "The type of VPC endpoint for ECR Docker"
+ type = string
+ default = "Interface"
+}
+
+variable "vpc_endpoint_type_private_s3" {
+ description = "The type of VPC endpoint for ECR Docker"
+ type = string
+ default = "Gateway"
+}
+
+variable "ipam_address_family" {
+ description = "The address family for the VPC (ipv4 or ipv6)"
+ type = string
+ default = "ipv4"
+}
+
+# Define input variables to accept subnet counts
+variable "vpc_public_subnets_counts" {
+ description = "List of counts for public subnets"
+ type = number
+ default = 1
+}
+
+variable "vpc_private_subnets_counts" {
+ description = "List of counts for private subnets"
+ type = number
+ default = 1
+}
+
+variable "vpc_database_subnets_counts" {
+ description = "List of counts for database subnets"
+ type = number
+ default = 1
+}
+
+variable "vpc_intra_subnets_counts" {
+ description = "List of counts for intra subnets"
+ type = number
+ default = 1
+}
+
+variable "vpc_default_security_group_ingress" {
+ description = "List of maps of ingress rules to set on the default security group"
+ type = list(map(string))
+ default = []
+}
+
+variable "vpc_default_security_group_egress" {
+ description = "List of maps of egress rules to set on the default security group"
+ type = list(map(string))
+ default = []
+}
+
+variable "worker_iam_role_name" {
+ description = "Name of the worker IAM role"
+ default = ""
+}
diff --git a/versions.tf b/versions.tf
old mode 100644
new mode 100755
index dffc488..d8e2113
--- a/versions.tf
+++ b/versions.tf
@@ -3,7 +3,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.23"
+ version = ">= 5.0.0"
}
}
}