- Module tested for Terraform 1.0.1.
- AWS provider version 4.23.
mainbranch: Provider versions not pinned to keep up with Terraform releases.tagsreleases: Tags are pinned with versions (use).
terrafrom init
terraform plan -var='teamid=tryme' -var='prjid=project1'
terraform apply -var='teamid=tryme' -var='prjid=project1'
terraform destroy -var='teamid=tryme' -var='prjid=project1'
Note: With this option please take care of remote state storage
Recommended method (stores remote state in S3 using prjid and teamid to create directory structure):
- Create python 3.8+ virtual environment
python3 -m venv <venv name>
- Install package:
pip install tfremote --upgrade
- Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export TF_AWS_PROFILE=<profile from ~/.ws/credentials>
or
- Set below environment variables:
export TF_AWS_BUCKET=<remote state bucket name>
export TF_AWS_BUCKET_REGION=us-west-2
export AWS_ACCESS_KEY_ID=<aws_access_key_id>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
-
Updated
examplesdirectory with required values. -
Run and verify the output before deploying:
tf -c=aws plan -var='teamid=foo' -var='prjid=bar'
- Run below to deploy:
tf -c=aws apply -var='teamid=foo' -var='prjid=bar'
- Run below to destroy:
tf -c=aws destroy -var='teamid=foo' -var='prjid=bar'
Note: Read more on tfremote
module "vpc" {
source = "git::git@github.com:tomarv2/terraform-aws-vpc.git"
#------------------------------------------
# Do not change the teamid, prjid once set.
teamid = var.teamid
prjid = var.prjid
}
Please refer to examples directory link for references.
- New version of VPC module to cover cases like
shared vpc.
| Name | Version |
|---|---|
| terraform | >= 1.0.1 |
| aws | ~> 4.23 |
| random | ~> 3.1 |
| Name | Version |
|---|---|
| aws | ~> 4.23 |
| random | ~> 3.1 |
| Name | Source | Version |
|---|---|---|
| vpc | terraform-aws-modules/vpc/aws | 3.14.2 |
| Name | Type |
|---|---|
| random_string.naming | resource |
| aws_availability_zones.available | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cidr_block | The CIDR block for the VPC | string |
"10.4.0.0/16" |
no |
| create_flow_log_cloudwatch_iam_role | Whether to create IAM role for VPC Flow Logs | bool |
false |
no |
| create_flow_log_cloudwatch_log_group | Whether to create CloudWatch log group for VPC Flow Logs | bool |
false |
no |
| create_igw | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | bool |
true |
no |
| custom_tags | Extra custom tags | any |
null |
no |
| default_security_group_egress | List of maps of egress rules to set on the default security group | list(map(string)) |
[] |
no |
| default_security_group_ingress | List of maps of ingress rules to set on the default security group | list(map(string)) |
[] |
no |
| default_security_group_tags | Additional tags for the default security group | map(string) |
{} |
no |
| enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | bool |
true |
no |
| enable_flow_log | Whether or not to enable VPC Flow Logs | bool |
false |
no |
| enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool |
true |
no |
| flow_log_cloudwatch_iam_role_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | string |
"" |
no |
| flow_log_cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | string |
null |
no |
| flow_log_cloudwatch_log_group_name_prefix | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | string |
"/aws/vpc-flow-log/" |
no |
| flow_log_cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | number |
null |
no |
| flow_log_destination_arn | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided. | string |
"" |
no |
| flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs. | string |
"cloud-watch-logs" |
no |
| flow_log_file_format | (Optional) The format for the flow log. Valid values: plain-text, parquet. |
string |
"plain-text" |
no |
| flow_log_hive_compatible_partitions | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | bool |
false |
no |
| flow_log_log_format | The fields to include in the flow log record, in the order in which they should appear. | string |
null |
no |
| flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. |
number |
600 |
no |
| flow_log_per_hour_partition | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. | bool |
false |
no |
| flow_log_traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | string |
"ALL" |
no |
| name | Name of the resource | string |
null |
no |
| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs. | bool |
true |
no |
| private_subnet_tags | Tags to add to any created private subnets | any |
null |
no |
| private_subnets | A list of private subnets inside the VPC | list(string) |
[] |
no |
| prjid | Name of the project/stack e.g: mystack, nifieks, demoaci. Should not be changed after running 'tf apply' | string |
n/a | yes |
| public_subnet_tags | Tags to add to any created public subnets | any |
null |
no |
| public_subnets | A list of public subnets inside the VPC | list(string) |
[] |
no |
| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool |
true |
no |
| teamid | Name of the team/group e.g. devops, dataengineering. Should not be changed after running 'tf apply' | string |
n/a | yes |
| vpc_flow_log_permissions_boundary | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | string |
null |
no |
| vpc_flow_log_tags | Additional tags for the VPC Flow Logs | map(string) |
{} |
no |
| Name | Description |
|---|---|
| default_security_group_id | The ID of the security group created by VPC |
| internet_gateway_route_id | ID of the internet gateway route |
| private_route_table_ids | List of IDs of private route tables |
| private_subnet_arns | List of ARNs of private subnets |
| private_subnets | List of IDs of private subnets |
| private_subnets_cidr_blocks | List of cidr_blocks of private subnets |
| public_route_table_ids | List of IDs of public route tables |
| public_subnet_arns | List of ARNs of public subnets |
| public_subnets | List of IDs of public subnets |
| public_subnets_cidr_blocks | List of cidr_blocks of public subnets |
| security_group | List of cidr_blocks of private subnets |
| subnet_arns | List of subnets ARNs |
| subnets | List of subnets IDs |
| vpc_id | The ID of the VPC |