Skip to content

appvia/terraform-aws-network

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Appvia Banner

Terraform Registry Latest Release Slack Community Contributors

Github Actions

Terraform AWS Network

Description

The purpose of this module is to provide a consistent way to provision a VPC and associated resources in AWS.

Usage

Add example usage here

module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  availability_zones                    = var.availability_zones
  enable_ssm                            = var.enable_ssm
  enable_transit_gateway_appliance_mode = true
  ipam_pool_id                          = data.aws_vpc_ipam_pool.current.id
  name                                  = var.name
  private_subnet_netmask                = var.private_subnet_netmask
  public_subnet_netmask                 = var.public_subnet_netmask
  tags                                  = var.tags
  transit_gateway_id                    = data.aws_ec2_transit_gateway.this.id
  vpc_cidr                              = var.vpc_cidr

  transit_gateway_routes = {
    private = aws_ec2_managed_prefix_list.internal.id
  }
}

Enabling NAT Gateways

To enable NAT gateways in your VPC, you can use the enable_nat_gateway and nat_gateway_mode variables. Here are some examples:

# Single NAT Gateway for all AZs
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  nat_gateway_mode   = "single"
  # ... other configuration ...
}

# One NAT Gateway per AZ for high availability
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  nat_gateway_mode   = "one_per_az"
  # ... other configuration ...
}

Remember that NAT gateways incur costs, so choose the configuration that best balances your availability requirements and budget.

Using Transit Gateway

The module supports connecting your VPC to an AWS Transit Gateway. Here are some common configurations:

# Basic Transit Gateway connection
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  transit_gateway_id     = "tgw-1234567890abcdef0" # Your Transit Gateway ID

  # Default route to Transit Gateway for private subnets
  transit_gateway_routes = {
    private = "10.0.0.0/8"  # Route all 10.0.0.0/8 traffic to Transit Gateway
  }
  # ... other configuration ...
}

# Transit Gateway with appliance mode (for network appliances)
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_transit_gateway_appliance_mode = true
  transit_gateway_id                    = "tgw-1234567890abcdef0"

  # Using a prefix list for routes
  transit_gateway_routes = {
    private = "pl-1234567890abcdef0"  # AWS prefix list ID
  }
  # ... other configuration ...
}

The Transit Gateway configuration supports:

  • Connecting to an existing Transit Gateway
  • Appliance mode for network appliance deployments
  • Custom routing using CIDR blocks or prefix lists
  • Optional NAT Gateway access for Transit Gateway subnets

Using Private Endpoints

The module supports creating VPC endpoints for AWS services. Here are some common configurations:

# Enable SSM endpoints (Session Manager)
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_ssm = true
  # ... other configuration ...
}

# Enable specific private endpoints
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_private_endpoints = [
    "ecr.api",
    "ecr.dkr",
    "s3",
    "logs"
  ]
  # ... other configuration ...
}

Note, by default Gateway endpoints are automatically created for S3 and DynamoDB, though these can be controlled by the enable_s3_endpoint and enable_dynamodb_endpoint variables.

You can use enable_ssm as a shortcut to enable the SSM endpoints.

module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_ssm = true
}

Enable DNS Request Logging

To enable DNS request logging in your VPC, you can use the enable_dns_request_logging variable. This feature allows you to log DNS queries made within your VPC, which can be useful for monitoring and troubleshooting.

Here is an example configuration:

module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_dns_request_logging = true
  # ... other configuration ...
}

Enable VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.

Basic Configuration

module "vpc" {
  source  = "appvia/network/aws"

  flow_logs = {
    destination_type = "s3"
    destination_arn  = "arn:aws:s3:::my-flow-logs-bucket"
    log_format       = "plain-text"
    traffic_type     = "ALL"
  }
  # ... other configuration ...
}

Advanced S3 Configuration

For S3 destinations, you can configure additional options for better log organization and analysis:

module "vpc" {
  source  = "appvia/network/aws"

  flow_logs = {
    destination_type = "s3"
    destination_arn  = "arn:aws:s3:::my-flow-logs-bucket"
    log_format       = "parquet"
    traffic_type     = "ALL"
    
    destination_options = {
      file_format                = "parquet"
      hive_compatible_partitions = true
      per_hour_partition         = true
    }
  }
  # ... other configuration ...
}

CloudWatch Logs Configuration

module "vpc" {
  source  = "appvia/network/aws"

  flow_logs = {
    destination_type = "cloud-watch-logs"
    destination_arn  = "arn:aws:logs:us-west-2:123456789012:log-group:/aws/vpc/flowlogs"
    log_format       = "plain-text"
    traffic_type     = "ACCEPT"
  }
  # ... other configuration ...
}

Kinesis Data Firehose Configuration

module "vpc" {
  source  = "appvia/network/aws"

  flow_logs = {
    destination_type = "kinesis-data-firehose"
    destination_arn  = "arn:aws:firehose:us-west-2:123456789012:deliverystream/vpc-flow-logs"
    log_format       = "parquet"
    traffic_type     = "ALL"
  }
  # ... other configuration ...
}

Flow Logs Configuration Options

Parameter Description Valid Values Default
destination_type Where to publish flow logs s3, kinesis-data-firehose, cloud-watch-logs Required
destination_arn ARN of the destination Valid ARN for the destination type Required
log_format Format of the flow logs plain-text, parquet plain-text
traffic_type Type of traffic to capture ALL, ACCEPT, REJECT ALL

S3 Destination Options

When using S3 as the destination, you can configure additional options:

Parameter Description Type Default
file_format Format of the flow logs string Required
hive_compatible_partitions Use Hive-compatible partitions bool Required
per_hour_partition Partition logs per hour bool Required

Use Cases

  • Security Monitoring: Track rejected connections and potential security threats
  • Network Troubleshooting: Analyze network connectivity issues
  • Compliance: Meet regulatory requirements for network monitoring
  • Cost Optimization: Identify unused or underutilized network resources
  • Performance Analysis: Monitor network performance and identify bottlenecks

Best Practices

  1. Choose the Right Traffic Type:

    • Use ALL for comprehensive monitoring
    • Use ACCEPT to focus on successful connections
    • Use REJECT to monitor security events
  2. Select Appropriate Log Format:

    • Use plain-text for simple analysis and debugging
    • Use parquet for advanced analytics and cost optimization
  3. Configure S3 Options:

    • Enable hive_compatible_partitions for better query performance
    • Use per_hour_partition for better log organization
  4. Consider Costs:

    • S3 is typically the most cost-effective option
    • CloudWatch Logs can be expensive for high-volume traffic
    • Kinesis Data Firehose is useful for real-time processing
  5. Set Up Lifecycle Policies:

    • Configure S3 lifecycle policies to manage log retention
    • Archive old logs to cheaper storage classes

Using Route53 Resolver Rules

The module supports automatically associating shared Route53 Resolver Rules with your VPC. By default, any resolver rules shared with your account will be automatically associated. Here are some configuration examples:

# Disable automatic resolver rule association
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_route53_resolver_rules = false
  # ... other configuration ...
}

# Exclude specific resolver rules from association
module "vpc" {
  source  = "appvia/network/aws"
  version = "0.0.8"

  enable_route53_resolver_rules    = true
  exclude_route53_resolver_rules   = ["rslvr-rr-1234567890abcdef0"]  # Resolver Rule IDs to exclude
  # ... other configuration ...
}

By default (enable_route53_resolver_rules = true), the module will:

  • Automatically discover all resolver rules shared with your account
  • Associate them with the VPC being created
  • Allow you to exclude specific rules using the exclude_route53_resolver_rules variable

Adding Additional Subnets

To add more subnets to your VPC, you can extend the subnet configurations in your Terraform code. Here are some examples:

Adding Public Subnets

module "vpc" {
  subnets = {
    public = {
      cidr_blocks = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
      tags = {
        Name = "public-subnets"
      }
    }
  }
}

Sharing Subnets via RAM

VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon RDS databases, and Amazon Redshift clusters, into a shared, centrally managed VPC. The benefits of VPC sharing include:

  • Cost Savings: By sharing a single VPC across multiple accounts, you can reduce the number of VPCs needed, which can lead to cost savings.
  • Simplified Network Management: Centralized management of network resources simplifies the administration and monitoring of network configurations.
  • Improved Security: VPC sharing allows for consistent security policies and monitoring across multiple accounts, enhancing the overall security posture.

Remember to:

  1. Ensure CIDR blocks don't overlap
  2. Consider your IP address space requirements
  3. Follow your organization's IP addressing scheme

The module include a convenient way to share subnets using AWS Resource Access Manager (RAM). Here is an example configuration:

## Provision a network is no subnets inside
module "vpc" {
  source = "../.."

  availability_zones = 3
  name               = "development"
  tags               = local.tags
  vpc_cidr           = "10.90.0.0/16"
}

## Curve out subnets for sharing
module "subnets" {
  source = "../../modules/shared"

  name   = "product-a"
  share  = { accounts = ["123456789012"] }
  tags   = local.tags
  vpc_id = module.vpc.vpc_id

  ## Additional subnet to add to the isolation zone
  permitted_subnets = [
    "10.90.20.0/24",
  ]

  subnets = {
    web = {
      cidrs = ["10.90.0.0/24", "10.90.1.0/24"]
    }
    app = {
      cidrs = ["10.90.10.0/24", "10.90.11.0/24"]
    }
  }
}

Note, this module will automatically create a network access control list (NACL) for the shared subnets, it will any

  1. Permit all outbound and inbound traffic from the subnets
  2. Permit all outbound and inbound traffic from the var.permitted_subnets variable cidr_blocks.
  3. Deny all other traffic to the VPC CIDR block.
  4. Permit all outbound and inbound traffic not destined to the VPC CIDR block.

By performing the above to ensure the subnets are isolated from the rest of the VPC, while still allowing access to external resources.

Network Access Control Lists (NACLs)

Network Access Control Lists (NACLs) are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs are stateless, meaning that responses to allowed inbound traffic are subject to the rules for outbound traffic. NACLs allow you to explicitly allow or deny traffic based on IP address, port, and protocol. Here's an example of how to configure NACLs in this module:

module "vpc" {
  source = "../.."

  name               = "production"
  vpc_cidr           = "10.0.0.0/16"
  availability_zones = 3
  tags               = local.tags

  subnets = {
    private = {
      netmask = 24
    }
  }

  nacl_rules = {
    private = {
      inbound_rules = [
        {
          cidr_block  = "10.0.0.0/24"
          from_port   = 22
          to_port     = 22
          protocol    = 6  # TCP
          rule_action = "allow"
          rule_number = 100
        }
      ],
      outbound_rules = [
        {
          cidr_block  = "0.0.0.0/0"
          from_port   = 0
          to_port     = 65535
          protocol    = -1  # All traffic
          rule_action = "allow"
          rule_number = 100
        }
      ]
    }
  }
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

  1. Make changes to the .terraform-docs.yml file
  2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
  3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Providers

Name Version
aws ~> 6.0

Inputs

Name Description Type Default Required
name Is the name of the network to provision string n/a yes
tags Tags to apply to all resources map(string) n/a yes
associate_hosted_ids The list of hosted zone ids to associate with the VPC list(string) [] no
availability_zones The number of availability zone the network should be deployed into number 2 no
dns_query_log_retention The number of days to retain DNS query logs number 7 no
enable_default_route_table_association Indicates the transit gateway default route table should be associated with the subnets bool true no
enable_default_route_table_propagation Indicates the transit gateway default route table should be propagated to the subnets bool true no
enable_dns_request_logging Enable logging of DNS requests bool false no
enable_dynamodb_endpoint Enable DynamoDB VPC Gateway endpoint bool true no
enable_private_endpoints Indicates the network should provision private endpoints list(string) [] no
enable_route53_resolver_rules Automatically associates any shared route53 resolver rules with the VPC bool true no
enable_s3_endpoint Enable S3 VPC Gateway endpoint bool true no
enable_ssm Indicates we should provision SSM private endpoints bool false no
enable_transit_gateway_appliance_mode Indicates the network should be connected to a transit gateway in appliance mode bool false no
enable_transit_gateway_subnet_natgw Indicates if the transit gateway subnets should be connected to a nat gateway bool false no
exclude_route53_resolver_rules List of resolver rules to exclude from association list(string) [] no
flow_logs Configuration for VPC flow logs
object({
## The type of destination for the flow logs (s3, kinesis-data-firehose, cloud-watch-logs)
destination_type = string
## The ARN of the destination for the flow logs (s3 bucket, kinesis data firehose, cloud watch logs)
destination_arn = string
## The format of the flow logs (plain-text, parquet)
log_format = optional(string, "plain-text")
## The type of traffic to capture (ALL, ACCEPT, REJECT)
traffic_type = optional(string, "ALL")
## Destination options
destination_options = optional(object({
# The format of the flow logs (plain-text, parquet)
file_format = string
# Whether to use hive compatible partitions
hive_compatible_partitions = bool
# Whether to partition the flow logs per hour
per_hour_partition = bool
}), null)
})
null no
ipam_pool_id An optional pool id to use for IPAM pool to use string null no
nacl_rules Map of NACL rules to apply to different subnet types. Each rule requires from_port, to_port, protocol, rule_action, cidr_block, and rule_number
map(object({
inbound = list(object({
cidr_block = string
from_port = optional(number, null)
icmp_code = optional(number, 0)
icmp_type = optional(number, 0)
ipv6_cidr_block = optional(string, null)
protocol = optional(number, -1)
rule_action = optional(string, "allow")
rule_number = number
to_port = optional(number, null)
}))
outbound = list(object({
cidr_block = string
from_port = optional(number, null)
icmp_code = optional(number, 0)
icmp_type = optional(number, 0)
ipv6_cidr_block = optional(string, null)
protocol = optional(number, -1)
rule_action = optional(string, "allow")
rule_number = number
to_port = optional(number, null)
}))
}))
{} no
nat_gateway_mode The configuration mode of the NAT gateways string "none" no
private_subnet_netmask The netmask for the private subnets number 0 no
private_subnet_tags Additional tags for the private subnets map(string) {} no
public_subnet_netmask The netmask for the public subnets number 0 no
public_subnet_tags Additional tags for the public subnets map(string) {} no
subnets Additional subnets to create in the network, keyed by the subnet name any {} no
transit_gateway_id If enabled, and not lookup is disabled, the transit gateway id to connect to string null no
transit_gateway_routes If enabled, this is the cidr block to route down the transit gateway map(string)
{
"private": "10.0.0.0/8"
}
no
transit_subnet_tags Additional tags for the transit subnets map(string) {} no
vpc_cidr An optional cidr block to assign to the VPC (if not using IPAM) string null no
vpc_instance_tenancy The name of the VPC to create string "default" no
vpc_netmask An optional range assigned to the VPC number null no

Outputs

Name Description
all_subnets_by_name A map of the subnet name to the subnet ID i.e. private/us-east-1a => subnet_id
nat_public_ips The public IPs of the NAT Gateways i.e [public_ip, public_ip]
natgw_id_per_az The IDs of the NAT Gateways (see aws-ia/vpc/aws for details)
private_route_table_ids The IDs of the private route tables ie. [route_table_id, route_table_id]
private_subnet_attributes_by_az The attributes of the private subnets (see aws-ia/vpc/aws for details)
private_subnet_cidr_by_id A map of the private subnet ID to CIDR block i.e. us-west-2a => subnet_cidr
private_subnet_cidrs A list of the CIDRs for the private subnets
private_subnet_id_by_az A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet_id
private_subnet_ids The IDs of the private subnets i.e. [subnet_id, subnet_id]
public_route_table_ids The IDs of the public route tables ie. [route_table_id, route_table_id]
public_subnet_attributes_by_az The attributes of the public subnets (see aws-ia/vpc/aws for details)
public_subnet_cidr_by_id A map of the public subnet ID to CIDR block i.e. us-west-2a => subnet_cidr
public_subnet_cidrs A list of the CIDRs for the public subnets i.e. [subnet_cidr, subnet_cidr]
public_subnet_id_by_az A map of availability zone to subnet id of the public subnets i.e. eu-west-2a => subnet_id
public_subnet_ids The IDs of the public subnets i.e. [subnet_id, subnet_id]
rt_attributes_by_type_by_az The attributes of the route tables (see aws-ia/vpc/aws for details)
subnets The subnets created by the module
transit_gateway_attachment_id The ID of the transit gateway attachment if enabled
transit_route_table_by_az A map of availability zone to transit gateway route table ID i.e eu-west-2a => route_table_id
transit_route_table_ids The IDs of the transit gateway route tables ie. [route_table_id, route_table_id]
transit_subnet_attributes_by_az The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details)
transit_subnet_ids The IDs of the transit gateway subnets ie. [subnet_id, subnet_id]
vpc_attributes The attributes of the VPC (see aws-ia/vpc/aws for details)
vpc_cidr The CIDR block of the VPC
vpc_id The ID of the VPC

About

Used to provision a standard network (vpc) within an account

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published

Contributors 7