A terraform module to create a VPC with secure default configurations. Most configurations are based on CIS Amazon web Services Foundations and CIS Amazon Web Services Three-tier Web Architecture Benchmark.
The primary goal of this module is to create a VPC itself in a secure manner without any boilerplate code hence it does not create any subnets except ones for NAT Gateways.
data "aws_caller_identity" "current" {}
module "secure_vpc" {
source = "nozaq/secure-vpc/aws"
aws_account_id = data.aws_caller_identity.current.account_id
cidr_block = "10.0.0.0/8"
availability_zones = ["ap-northeast-1a", "ap-northeast-1c"]
nat_subnet_cidr_blocks = ["10.0.253.0/24", "10.0.254.0/24"]
flow_logs_iam_role_name = "FlowLogsPublisher"
flow_logs_group_name = "SimpleVPCFlowLogs"
tags = {
Environment = "SimpleVPC"
}
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | string | "false" |
no |
availability_zones | The availability zones to support with this VPC. | list | [] |
no |
aws_account_id | The AWS Account ID number of the account. | string | n/a | yes |
cidr_block | The CIDR block for the VPC. | string | n/a | yes |
enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC. | string | "false" |
no |
enable_dns_support | A boolean flag to enable/disable DNS support in the VPC. | string | "true" |
no |
flow_logs_group_name | The name of the CloudWatch Logs group for VPC Flow Logs. | string | n/a | yes |
flow_logs_iam_role_name | The name of the IAM role to publish VPC Flow Logs. | string | n/a | yes |
flow_logs_key_deletion_window_in_days | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | string | "30" |
no |
flow_logs_retention_in_days | Specifies the number of days you want to retain VPC Flow Logs events. | string | "0" |
no |
flow_logs_traffic_type | The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL | string | "ALL" |
no |
instance_tenancy | A tenancy option for instances launched into the VPC | string | "default" |
no |
nat_subnet_cidr_blocks | The CIDR blocks for the NAT subnets. | list | [] |
no |
tags | Tags to be attached to all resources created with this module. | map | {} |
no |
Name | Description |
---|---|
default_network_acl_id | The ID of the default network ACL |
default_route_table_id | The ID of the default route table |
default_security_group_id | The ID of the security group created by default on VPC creation |
flow_logs_group_arn | The ARN of the CloudWatch log group to which VPC Flow Logs will publish to. |
internet_gateway_id | The ID of the internet gateawy |
nat_gateway_ids | The ID of the NAT Gateawy |
nat_gateway_private_ips | The private IP address of the NAT Gateway |
nat_gateway_public_ips | The public IP address of the NAT Gateway |
private_route_table_id | The ID of the route table for private subnets |
public_route_table_id | The ID of the route table for public subnets |
vpc_cidr_block | The CIDR block of the VPC |
vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support |
vpc_enable_dns_support | Whether or not the VPC has DNS support |
vpc_id | The ID of the VPC |
vpc_instance_tenancy | Tenancy of instances spin up within VPC |
vpc_main_route_table_id | The ID of the main route table associated with this VPC |