nozaq / terraform-aws-secure-vpc

A terraform module to create a VPC with secure default configurations.
MIT License
17 stars 13 forks source link
aws aws-auditing cis-benchmark devops hardening security security-hardening security-tools terraform vpc

terraform-aws-secure-vpc

Github Actions

Terraform Module Registry

A terraform module to create a VPC with secure default configurations. Most configurations are based on CIS Amazon web Services Foundations and CIS Amazon Web Services Three-tier Web Architecture Benchmark.

The primary goal of this module is to create a VPC itself in a secure manner without any boilerplate code hence it does not create any subnets except ones for NAT Gateways.

Features

Usage

data "aws_caller_identity" "current" {}

module "secure_vpc" {
  source = "nozaq/secure-vpc/aws"

  aws_account_id          = data.aws_caller_identity.current.account_id
  cidr_block              = "10.0.0.0/8"
  availability_zones      = ["ap-northeast-1a", "ap-northeast-1c"]
  nat_subnet_cidr_blocks  = ["10.0.253.0/24", "10.0.254.0/24"]
  flow_logs_iam_role_name = "FlowLogsPublisher"
  flow_logs_group_name    = "SimpleVPCFlowLogs"

  tags = {
    Environment = "SimpleVPC"
  }
}

Inputs

Name Description Type Default Required
assign_generated_ipv6_cidr_block Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. string "false" no
availability_zones The availability zones to support with this VPC. list [] no
aws_account_id The AWS Account ID number of the account. string n/a yes
cidr_block The CIDR block for the VPC. string n/a yes
enable_dns_hostnames A boolean flag to enable/disable DNS hostnames in the VPC. string "false" no
enable_dns_support A boolean flag to enable/disable DNS support in the VPC. string "true" no
flow_logs_group_name The name of the CloudWatch Logs group for VPC Flow Logs. string n/a yes
flow_logs_iam_role_name The name of the IAM role to publish VPC Flow Logs. string n/a yes
flow_logs_key_deletion_window_in_days Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. string "30" no
flow_logs_retention_in_days Specifies the number of days you want to retain VPC Flow Logs events. string "0" no
flow_logs_traffic_type The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL string "ALL" no
instance_tenancy A tenancy option for instances launched into the VPC string "default" no
nat_subnet_cidr_blocks The CIDR blocks for the NAT subnets. list [] no
tags Tags to be attached to all resources created with this module. map {} no

Outputs

Name Description
default_network_acl_id The ID of the default network ACL
default_route_table_id The ID of the default route table
default_security_group_id The ID of the security group created by default on VPC creation
flow_logs_group_arn The ARN of the CloudWatch log group to which VPC Flow Logs will publish to.
internet_gateway_id The ID of the internet gateawy
nat_gateway_ids The ID of the NAT Gateawy
nat_gateway_private_ips The private IP address of the NAT Gateway
nat_gateway_public_ips The public IP address of the NAT Gateway
private_route_table_id The ID of the route table for private subnets
public_route_table_id The ID of the route table for public subnets
vpc_cidr_block The CIDR block of the VPC
vpc_enable_dns_hostnames Whether or not the VPC has DNS hostname support
vpc_enable_dns_support Whether or not the VPC has DNS support
vpc_id The ID of the VPC
vpc_instance_tenancy Tenancy of instances spin up within VPC
vpc_main_route_table_id The ID of the main route table associated with this VPC