diff --git a/modules/aws/vpc/README.md b/modules/aws/vpc/README.md
index 34656c36..84657811 100755
--- a/modules/aws/vpc/README.md
+++ b/modules/aws/vpc/README.md
@@ -1,7 +1,7 @@
-
+
+
[![Contributors][contributors-shield]][contributors-url]
[![Forks][forks-shield]][forks-url]
[![Stargazers][stars-shield]][stars-url]
@@ -18,7 +19,6 @@
[![MIT License][license-shield]][license-url]
[![LinkedIn][linkedin-shield]][linkedin-url]
-
@@ -41,7 +41,6 @@
-
Table of Contents
@@ -59,11 +58,14 @@
-
+
## Usage
+
### Simple Example
+
This example sends uses an internet gateway for the public subnets and NAT gateways for the internal subnets. It utilizes the 10.11.0.0/16 subnet space with /24 subnets for each segmented subnet per availability zone.
+
```
module "vpc" {
source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
@@ -81,7 +83,9 @@ module "vpc" {
```
### Firewall Example
+
This example sends all egress traffic out a EC2 instance acting as a firewall. It also changes the default VPC CIDR block and subnets.
+
```
module "vpc" {
source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
@@ -101,7 +105,9 @@ module "vpc" {
```
### Setting Subnet Example
+
This example sends uses an internet gateway for the public subnets and NAT gateways for the internal subnets. It utilizes a unique 10.100.0.0/16 subnet space with /24 subnets for each segmented subnet per availability zone.
+
```
module "vpc" {
source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
@@ -125,7 +131,9 @@ module "vpc" {
```
### Disabling Unneeded Subnets
+
This example disabled unused subnets and associated resources. In the example we leave only the public and private subnets enabled.
+
```hcl
module "vpc" {
source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
@@ -148,6 +156,57 @@ module "vpc" {
}
```
+### Disabling the Internet Gateway
+
+This example disables the internet gateway, making this VPC a private VPC. This is useful for VPCs which do not need to communicate with the internet, or do so via an egress inspection VPC, SDWAN, or other solution.
+
+```hcl
+module "vpc" {
+ source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
+
+ name = "client_prod_vpc"
+ vpc_cidr = "10.11.0.0/16"
+ azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
+ db_subnets_list = []
+ dmz_subnets_list = []
+ mgmt_subnets_list = []
+ private_subnets_list = ["10.11.0.0/24", "10.11.1.0/24", "10.11.2.0/24"]
+ public_subnets_list = []
+ workspaces_subnets_list = []
+ tags = {
+ terraform = "true"
+ created_by = "Zachary Hill"
+ environment = "prod"
+ project = "core_infrastructure"
+ }
+}
+```
+
+Alternatively, you can disable the internet gateway by setting the `enable_internet_gateway` variable to `false`. This is useful if you still want to have public subnets.
+
+```hcl
+module "vpc" {
+ source = "github.com/zachreborn/terraform-modules//modules/aws/vpc"
+
+ name = "client_prod_vpc"
+ vpc_cidr = "10.11.0.0/16"
+ azs = ["us-east-1a", "us-east-1b", "us-east-1c"]
+ db_subnets_list = []
+ dmz_subnets_list = []
+ mgmt_subnets_list = []
+ private_subnets_list = ["10.11.0.0/24", "10.11.1.0/24", "10.11.2.0/24"]
+ public_subnets_list = ["10.11.200.0/24", "10.11.201.0/24", "10.11.202.0/24"]
+ workspaces_subnets_list = []
+ enable_internet_gateway = false
+ tags = {
+ terraform = "true"
+ created_by = "Zachary Hill"
+ environment = "prod"
+ project = "core_infrastructure"
+ }
+}
+```
+
_For more examples, please refer to the [Documentation](https://github.com/zachreborn/terraform-modules)_
(back to top)
@@ -227,17 +286,18 @@ _For more examples, please refer to the [Documentation](https://github.com/zachr
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [azs](#input\_azs) | A list of Availability zones in the region | `list` | [
"us-east-2a",
"us-east-2b",
"us-east-2c"
]
| no |
+| [azs](#input\_azs) | A list of Availability zones in the region | `list(string)` | [
"us-east-2a",
"us-east-2b",
"us-east-2c"
]
| no |
| [cloudwatch\_name\_prefix](#input\_cloudwatch\_name\_prefix) | (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. | `string` | `"flow_logs_"` | no |
| [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | (Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `90` | no |
-| [db\_propagating\_vgws](#input\_db\_propagating\_vgws) | A list of VGWs the db route table should propagate. | `list` | `[]` | no |
-| [db\_subnets\_list](#input\_db\_subnets\_list) | A list of database subnets inside the VPC. | `list` | [
"10.11.11.0/24",
"10.11.12.0/24",
"10.11.13.0/24"
]
| no |
-| [dmz\_propagating\_vgws](#input\_dmz\_propagating\_vgws) | A list of VGWs the DMZ route table should propagate. | `list` | `[]` | no |
-| [dmz\_subnets\_list](#input\_dmz\_subnets\_list) | A list of DMZ subnets inside the VPC. | `list` | [
"10.11.101.0/24",
"10.11.102.0/24",
"10.11.103.0/24"
]
| no |
+| [db\_propagating\_vgws](#input\_db\_propagating\_vgws) | A list of VGWs the db route table should propagate. | `list(string)` | `null` | no |
+| [db\_subnets\_list](#input\_db\_subnets\_list) | A list of database subnets inside the VPC. | `list(string)` | [
"10.11.11.0/24",
"10.11.12.0/24",
"10.11.13.0/24"
]
| no |
+| [dmz\_propagating\_vgws](#input\_dmz\_propagating\_vgws) | A list of VGWs the DMZ route table should propagate. | `list(string)` | `null` | no |
+| [dmz\_subnets\_list](#input\_dmz\_subnets\_list) | A list of DMZ subnets inside the VPC. | `list(string)` | [
"10.11.101.0/24",
"10.11.102.0/24",
"10.11.103.0/24"
]
| no |
| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. | `bool` | `true` | no |
| [enable\_dns\_support](#input\_enable\_dns\_support) | (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults true. | `bool` | `true` | no |
| [enable\_firewall](#input\_enable\_firewall) | (Optional) A boolean flag to enable/disable the use of a firewall instance within the VPC. Defaults False. | `bool` | `false` | no |
| [enable\_flow\_logs](#input\_enable\_flow\_logs) | (Optional) A boolean flag to enable/disable the use of flow logs with the resources. Defaults True. | `bool` | `true` | no |
+| [enable\_internet\_gateway](#input\_enable\_internet\_gateway) | (Optional) A boolean flag to enable/disable the use of Internet gateways. Defaults True. | `bool` | `true` | no |
| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | (Optional) A boolean flag to enable/disable the use of NAT gateways in the private subnets. Defaults True. | `bool` | `true` | no |
| [enable\_s3\_endpoint](#input\_enable\_s3\_endpoint) | (Optional) A boolean flag to enable/disable the use of a S3 endpoint with the VPC. Defaults False | `bool` | `false` | no |
| [enable\_ssm\_vpc\_endpoints](#input\_enable\_ssm\_vpc\_endpoints) | (Optional) A boolean flag to enable/disable SSM (Systems Manager) VPC endpoints. Defaults true. | `bool` | `false` | no |
@@ -246,8 +306,8 @@ _For more examples, please refer to the [Documentation](https://github.com/zachr
| [flow\_log\_format](#input\_flow\_log\_format) | (Optional) The fields to include in the flow log record, in the order in which they should appear. For more information, see Flow Log Records. Default: fields are in the order that they are described in the Flow Log Records section. | `string` | `null` | no |
| [flow\_max\_aggregation\_interval](#input\_flow\_max\_aggregation\_interval) | (Optional) The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600. | `number` | `60` | no |
| [flow\_traffic\_type](#input\_flow\_traffic\_type) | (Optional) The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL. | `string` | `"ALL"` | no |
-| [fw\_dmz\_network\_interface\_id](#input\_fw\_dmz\_network\_interface\_id) | Firewall DMZ eni id | `list(any)` | `[]` | no |
-| [fw\_network\_interface\_id](#input\_fw\_network\_interface\_id) | Firewall network interface id | `list` | `[]` | no |
+| [fw\_dmz\_network\_interface\_id](#input\_fw\_dmz\_network\_interface\_id) | Firewall DMZ eni id | `list(string)` | `null` | no |
+| [fw\_network\_interface\_id](#input\_fw\_network\_interface\_id) | Firewall network interface id | `list(string)` | `null` | no |
| [iam\_policy\_name\_prefix](#input\_iam\_policy\_name\_prefix) | (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name. | `string` | `"flow_log_policy_"` | no |
| [iam\_policy\_path](#input\_iam\_policy\_path) | (Optional, default '/') Path in which to create the policy. See IAM Identifiers for more information. | `string` | `"/"` | no |
| [iam\_role\_description](#input\_iam\_role\_description) | (Optional) The description of the role. | `string` | `"Role utilized for VPC flow logs. This role allows creation of log streams and adding logs to the log streams in cloudwatch"` | no |
@@ -255,18 +315,18 @@ _For more examples, please refer to the [Documentation](https://github.com/zachr
| [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no |
| [key\_name\_prefix](#input\_key\_name\_prefix) | (Optional) Creates an unique alias beginning with the specified prefix. The name must start with the word alias followed by a forward slash (alias/). | `string` | `"alias/flow_logs_key_"` | no |
| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | (Optional) Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is false. | `bool` | `true` | no |
-| [mgmt\_propagating\_vgws](#input\_mgmt\_propagating\_vgws) | A list of VGWs the mgmt route table should propagate. | `list` | `[]` | no |
-| [mgmt\_subnets\_list](#input\_mgmt\_subnets\_list) | A list of mgmt subnets inside the VPC. | `list` | [
"10.11.61.0/24",
"10.11.62.0/24",
"10.11.63.0/24"
]
| no |
+| [mgmt\_propagating\_vgws](#input\_mgmt\_propagating\_vgws) | A list of VGWs the mgmt route table should propagate. | `list(any)` | `null` | no |
+| [mgmt\_subnets\_list](#input\_mgmt\_subnets\_list) | A list of mgmt subnets inside the VPC. | `list(string)` | [
"10.11.61.0/24",
"10.11.62.0/24",
"10.11.63.0/24"
]
| no |
| [name](#input\_name) | (Required) Name to be tagged on all of the resources as an identifier | `string` | n/a | yes |
-| [private\_propagating\_vgws](#input\_private\_propagating\_vgws) | A list of VGWs the private route table should propagate. | `list` | `[]` | no |
-| [private\_subnets\_list](#input\_private\_subnets\_list) | A list of private subnets inside the VPC. | `list` | [
"10.11.1.0/24",
"10.11.2.0/24",
"10.11.3.0/24"
]
| no |
-| [public\_propagating\_vgws](#input\_public\_propagating\_vgws) | A list of VGWs the public route table should propagate. | `list` | `[]` | no |
-| [public\_subnets\_list](#input\_public\_subnets\_list) | A list of public subnets inside the VPC. | `list` | [
"10.11.201.0/24",
"10.11.202.0/24",
"10.11.203.0/24"
]
| no |
+| [private\_propagating\_vgws](#input\_private\_propagating\_vgws) | A list of VGWs the private route table should propagate. | `list(any)` | `null` | no |
+| [private\_subnets\_list](#input\_private\_subnets\_list) | A list of private subnets inside the VPC. | `list(string)` | [
"10.11.1.0/24",
"10.11.2.0/24",
"10.11.3.0/24"
]
| no |
+| [public\_propagating\_vgws](#input\_public\_propagating\_vgws) | A list of VGWs the public route table should propagate. | `list(any)` | `null` | no |
+| [public\_subnets\_list](#input\_public\_subnets\_list) | A list of public subnets inside the VPC. | `list(string)` | [
"10.11.201.0/24",
"10.11.202.0/24",
"10.11.203.0/24"
]
| no |
| [single\_nat\_gateway](#input\_single\_nat\_gateway) | (Optional) A boolean flag to enable/disable use of only a single shared NAT Gateway across all of your private networks. Defaults False. | `bool` | `false` | no |
-| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the object. | `map` | {
"created_by": "",
"environment": "prod",
"priority": "high",
"terraform": "true"
} | no |
+| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the object. | `map(string)` | {
"created_by": "",
"environment": "prod",
"priority": "high",
"terraform": "true"
} | no |
| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"10.11.0.0/16"` | no |
-| [workspaces\_propagating\_vgws](#input\_workspaces\_propagating\_vgws) | A list of VGWs the workspaces route table should propagate. | `list` | `[]` | no |
-| [workspaces\_subnets\_list](#input\_workspaces\_subnets\_list) | A list of workspaces subnets inside the VPC. | `list` | [
"10.11.21.0/24",
"10.11.22.0/24",
"10.11.23.0/24"
]
| no |
+| [workspaces\_propagating\_vgws](#input\_workspaces\_propagating\_vgws) | A list of VGWs the workspaces route table should propagate. | `list(any)` | `null` | no |
+| [workspaces\_subnets\_list](#input\_workspaces\_subnets\_list) | A list of workspaces subnets inside the VPC. | `list(string)` | [
"10.11.21.0/24",
"10.11.22.0/24",
"10.11.23.0/24"
]
| no |
## Outputs
@@ -298,15 +358,15 @@ _For more examples, please refer to the [Documentation](https://github.com/zachr
+
## License
Distributed under the MIT License. See `LICENSE.txt` for more information.
(back to top)
-
-
+
## Contact
Zachary Hill - [![LinkedIn][linkedin-shield]][linkedin-url] - zhill@zacharyhill.co
@@ -315,19 +375,18 @@ Project Link: [https://github.com/zachreborn/terraform-modules](https://github.c
(back to top)
-
-
+
## Acknowledgments
-* [Zachary Hill](https://zacharyhill.co)
-* [Jake Jones](https://github.com/jakeasarus)
+- [Zachary Hill](https://zacharyhill.co)
+- [Jake Jones](https://github.com/jakeasarus)
(back to top)
-
+
[contributors-shield]: https://img.shields.io/github/contributors/zachreborn/terraform-modules.svg?style=for-the-badge
[contributors-url]: https://github.com/zachreborn/terraform-modules/graphs/contributors
[forks-shield]: https://img.shields.io/github/forks/zachreborn/terraform-modules.svg?style=for-the-badge
@@ -342,4 +401,4 @@ Project Link: [https://github.com/zachreborn/terraform-modules](https://github.c
[linkedin-url]: https://www.linkedin.com/in/zachary-hill-5524257a/
[product-screenshot]: /images/screenshot.webp
[Terraform.io]: https://img.shields.io/badge/Terraform-7B42BC?style=for-the-badge&logo=terraform
-[Terraform-url]: https://terraform.io
\ No newline at end of file
+[Terraform-url]: https://terraform.io
diff --git a/modules/aws/vpc/main.tf b/modules/aws/vpc/main.tf
index f4f29e5e..81788bdf 100644
--- a/modules/aws/vpc/main.tf
+++ b/modules/aws/vpc/main.tf
@@ -14,7 +14,13 @@ terraform {
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
+###########################
+# Locals
+###########################
+
locals {
+ # Disable the IGW if either enable_internet_gateway is false or public_subnets_list is empty
+ enable_igw = var.enable_internet_gateway ? ((length(var.public_subnets_list) != 0 || var.public_subnets_list != null) ? true : false) : false
service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
}
@@ -194,20 +200,23 @@ resource "aws_subnet" "workspaces_subnets" {
###########################
resource "aws_internet_gateway" "igw" {
+ count = local.enable_igw ? 1 : 0
tags = merge(var.tags, ({ "Name" = format("%s-igw", var.name) }))
vpc_id = aws_vpc.vpc.id
}
resource "aws_route_table" "public_route_table" {
+ count = length(var.public_subnets_list) != 0 ? 1 : 0
propagating_vgws = var.public_propagating_vgws
tags = merge(var.tags, ({ "Name" = format("%s-rt-public", var.name) }))
vpc_id = aws_vpc.vpc.id
}
resource "aws_route" "public_default_route" {
+ count = local.enable_igw ? 1 : 0
destination_cidr_block = "0.0.0.0/0"
- gateway_id = aws_internet_gateway.igw.id
- route_table_id = aws_route_table.public_route_table.id
+ gateway_id = aws_internet_gateway.igw[0].id
+ route_table_id = aws_route_table.public_route_table[0].id
}
resource "aws_eip" "nateip" {
@@ -218,8 +227,8 @@ resource "aws_eip" "nateip" {
resource "aws_nat_gateway" "natgw" {
depends_on = [aws_internet_gateway.igw]
+ count = var.enable_nat_gateway ? (local.enable_igw ? (var.single_nat_gateway ? 1 : length(var.azs)) : 0) : 0
allocation_id = element(aws_eip.nateip[*].id, (var.single_nat_gateway ? 0 : count.index))
- count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.azs)) : 0
subnet_id = element(aws_subnet.public_subnets[*].id, (var.single_nat_gateway ? 0 : count.index))
}
@@ -347,7 +356,7 @@ resource "aws_vpc_endpoint_route_table_association" "private_s3" {
resource "aws_vpc_endpoint_route_table_association" "public_s3" {
count = var.enable_s3_endpoint ? length(var.public_subnets_list) : 0
vpc_endpoint_id = aws_vpc_endpoint.s3[count.index]
- route_table_id = aws_route_table.public_route_table.id
+ route_table_id = aws_route_table.public_route_table[0].id
}
resource "aws_route_table_association" "private" {
@@ -358,7 +367,7 @@ resource "aws_route_table_association" "private" {
resource "aws_route_table_association" "public" {
count = length(var.public_subnets_list)
- route_table_id = aws_route_table.public_route_table.id
+ route_table_id = aws_route_table.public_route_table[0].id
subnet_id = element(aws_subnet.public_subnets[*].id, count.index)
}
diff --git a/modules/aws/vpc/variables.tf b/modules/aws/vpc/variables.tf
index 3224b008..19c8a0a4 100644
--- a/modules/aws/vpc/variables.tf
+++ b/modules/aws/vpc/variables.tf
@@ -1,28 +1,32 @@
###########################
# VPC
###########################
-
variable "vpc_cidr" {
description = "The CIDR block for the VPC"
- default = "10.11.0.0/16"
type = string
+ default = "10.11.0.0/16"
}
variable "enable_dns_hostnames" {
description = "(Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false."
- default = true
type = bool
+ default = true
}
variable "enable_dns_support" {
description = "(Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults true."
- default = true
type = bool
+ default = true
}
variable "instance_tenancy" {
description = "A tenancy option for instances launched into the VPC"
+ type = string
default = "default"
+ validation {
+ condition = can(regex("^(default|dedicated)$", var.instance_tenancy))
+ error_message = "instance_tenancy must be either default or dedicated"
+ }
}
###########################
@@ -30,8 +34,8 @@ variable "instance_tenancy" {
###########################
variable "enable_ssm_vpc_endpoints" {
- type = bool
description = "(Optional) A boolean flag to enable/disable SSM (Systems Manager) VPC endpoints. Defaults true."
+ type = bool
default = false
}
@@ -41,42 +45,49 @@ variable "enable_ssm_vpc_endpoints" {
variable "azs" {
description = "A list of Availability zones in the region"
+ type = list(string)
default = ["us-east-2a", "us-east-2b", "us-east-2c"]
}
variable "db_subnets_list" {
description = "A list of database subnets inside the VPC."
+ type = list(string)
default = ["10.11.11.0/24", "10.11.12.0/24", "10.11.13.0/24"]
}
variable "dmz_subnets_list" {
description = "A list of DMZ subnets inside the VPC."
+ type = list(string)
default = ["10.11.101.0/24", "10.11.102.0/24", "10.11.103.0/24"]
}
variable "map_public_ip_on_launch" {
description = "(Optional) Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is false."
- default = true
type = bool
+ default = true
}
variable "mgmt_subnets_list" {
description = "A list of mgmt subnets inside the VPC."
+ type = list(string)
default = ["10.11.61.0/24", "10.11.62.0/24", "10.11.63.0/24"]
}
variable "private_subnets_list" {
description = "A list of private subnets inside the VPC."
+ type = list(string)
default = ["10.11.1.0/24", "10.11.2.0/24", "10.11.3.0/24"]
}
variable "public_subnets_list" {
description = "A list of public subnets inside the VPC."
+ type = list(string)
default = ["10.11.201.0/24", "10.11.202.0/24", "10.11.203.0/24"]
}
variable "workspaces_subnets_list" {
description = "A list of workspaces subnets inside the VPC."
+ type = list(string)
default = ["10.11.21.0/24", "10.11.22.0/24", "10.11.23.0/24"]
}
@@ -86,6 +97,7 @@ variable "workspaces_subnets_list" {
variable "single_nat_gateway" {
description = "(Optional) A boolean flag to enable/disable use of only a single shared NAT Gateway across all of your private networks. Defaults False."
+ type = bool
default = false
}
@@ -95,43 +107,50 @@ variable "single_nat_gateway" {
variable "db_propagating_vgws" {
description = "A list of VGWs the db route table should propagate."
- default = []
+ type = list(string)
+ default = null
}
variable "dmz_propagating_vgws" {
description = "A list of VGWs the DMZ route table should propagate."
- default = []
+ type = list(string)
+ default = null
}
variable "fw_dmz_network_interface_id" {
- type = list(any)
description = "Firewall DMZ eni id"
- default = []
+ type = list(string)
+ default = null
}
variable "fw_network_interface_id" {
description = "Firewall network interface id"
- default = []
+ type = list(string)
+ default = null
}
variable "mgmt_propagating_vgws" {
description = "A list of VGWs the mgmt route table should propagate."
- default = []
+ type = list(any)
+ default = null
}
variable "private_propagating_vgws" {
description = "A list of VGWs the private route table should propagate."
- default = []
+ type = list(any)
+ default = null
}
variable "public_propagating_vgws" {
description = "A list of VGWs the public route table should propagate."
- default = []
+ type = list(any)
+ default = null
}
variable "workspaces_propagating_vgws" {
description = "A list of VGWs the workspaces route table should propagate."
- default = []
+ type = list(any)
+ default = null
}
###########################
@@ -139,74 +158,82 @@ variable "workspaces_propagating_vgws" {
###########################
variable "cloudwatch_name_prefix" {
description = "(Optional, Forces new resource) Creates a unique name beginning with the specified prefix."
- default = "flow_logs_"
type = string
+ default = "flow_logs_"
}
variable "cloudwatch_retention_in_days" {
description = "(Optional) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire."
- default = 90
type = number
+ default = 90
+ validation {
+ condition = can(index([1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0], var.cloudwatch_retention_in_days))
+ error_message = "cloudwatch_retention_in_days must be one of: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0."
+ }
}
variable "iam_policy_name_prefix" {
description = "(Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name."
- default = "flow_log_policy_"
type = string
+ default = "flow_log_policy_"
}
variable "iam_policy_path" {
- type = string
description = "(Optional, default '/') Path in which to create the policy. See IAM Identifiers for more information."
+ type = string
default = "/"
}
variable "iam_role_description" {
- type = string
description = "(Optional) The description of the role."
+ type = string
default = "Role utilized for VPC flow logs. This role allows creation of log streams and adding logs to the log streams in cloudwatch"
}
variable "iam_role_name_prefix" {
- type = string
description = "(Required, Forces new resource) Creates a unique friendly name beginning with the specified prefix. Conflicts with name."
+ type = string
default = "flow_logs_role_"
}
variable "key_name_prefix" {
description = "(Optional) Creates an unique alias beginning with the specified prefix. The name must start with the word alias followed by a forward slash (alias/)."
- default = "alias/flow_logs_key_"
type = string
+ default = "alias/flow_logs_key_"
}
variable "flow_deliver_cross_account_role" {
- type = string
description = "(Optional) The ARN of the IAM role that posts logs to CloudWatch Logs in a different account."
+ type = string
default = null
}
variable "flow_log_destination_type" {
- type = string
description = "(Optional) The type of the logging destination. Valid values: cloud-watch-logs, s3. Default: cloud-watch-logs."
+ type = string
default = "cloud-watch-logs"
}
variable "flow_log_format" {
- type = string
description = "(Optional) The fields to include in the flow log record, in the order in which they should appear. For more information, see Flow Log Records. Default: fields are in the order that they are described in the Flow Log Records section."
+ type = string
default = null
}
variable "flow_max_aggregation_interval" {
- type = number
description = "(Optional) The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600."
+ type = number
default = 60
}
variable "flow_traffic_type" {
- type = string
description = "(Optional) The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL."
+ type = string
default = "ALL"
+ validation {
+ condition = can(index(["ACCEPT", "REJECT", "ALL"], var.flow_traffic_type))
+ error_message = "flow_traffic_type must be one of: ACCEPT, REJECT, ALL."
+ }
}
###############################################################
@@ -215,26 +242,32 @@ variable "flow_traffic_type" {
variable "enable_firewall" {
description = "(Optional) A boolean flag to enable/disable the use of a firewall instance within the VPC. Defaults False."
- default = false
type = bool
+ default = false
}
variable "enable_nat_gateway" {
description = "(Optional) A boolean flag to enable/disable the use of NAT gateways in the private subnets. Defaults True."
+ type = bool
default = true
+}
+
+variable "enable_internet_gateway" {
+ description = "(Optional) A boolean flag to enable/disable the use of Internet gateways. Defaults True."
type = bool
+ default = true
}
variable "enable_s3_endpoint" {
description = "(Optional) A boolean flag to enable/disable the use of a S3 endpoint with the VPC. Defaults False"
- default = false
type = bool
+ default = false
}
variable "enable_flow_logs" {
description = "(Optional) A boolean flag to enable/disable the use of flow logs with the resources. Defaults True."
- default = true
type = bool
+ default = true
}
variable "name" {
@@ -244,6 +277,7 @@ variable "name" {
variable "tags" {
description = "(Optional) A mapping of tags to assign to the object."
+ type = map(string)
default = {
terraform = "true"
created_by = ""