Update variables description

terraform-aws-modules · Jan 27, 2025 · d50a3cb · d50a3cb
1 parent 04ff3d9
commit d50a3cb
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -583,8 +583,8 @@ No modules.
 | <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_use_ipam_pool"></a> [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no |
-| <a name="input_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#input\_vpc\_block\_public\_access\_exclusions) | List of VPC Block Public Access Exclusions | `map(any)` | `{}` | no |
-| <a name="input_vpc_block_public_access_options"></a> [vpc\_block\_public\_access\_options](#input\_vpc\_block\_public\_access\_options) | Map of VPC Block Public Access Options | `map(string)` | `{}` | no |
+| <a name="input_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#input\_vpc\_block\_public\_access\_exclusions) | List of VPC Block Public Access Exclusions e.g. to exclude the VPC:<br/><br/>  vpc\_block\_public\_access\_exclusions = {<br/>    exclude\_vpc = {<br/>      exclude\_vpc                     = true<br/>      internet\_gateway\_exclusion\_mode = "allow-bidirectional"<br/>    }<br/>  }<br/><br/>  or to exclude specific subnets:<br/><br/>  vpc\_block\_public\_access\_exclusions = {<br/>    exclude\_subnet\_private1 = {<br/>      exclude\_subnet                  = true<br/>      subnet\_type                     = "private"<br/>      subnet\_index                    = 1<br/>      internet\_gateway\_exclusion\_mode = "allow-egress"<br/>    }<br/>    exclude\_subnet\_private2 = {<br/>      exclude\_subnet                  = true<br/>      subnet\_type                     = "private"<br/>      subnet\_index                    = 2<br/>      internet\_gateway\_exclusion\_mode = "allow-egress"<br/>    }<br/>  }<br/><br/>  One of `exclude_vpc` or `exclude_subnet` must be set to true.<br/>  Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`.<br/>  Value of `subnet_index` is the index of the subnet in the corresponding subnet list.<br/>  Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`. | `map(any)` | `{}` | no |
+| <a name="input_vpc_block_public_access_options"></a> [vpc\_block\_public\_access\_options](#input\_vpc\_block\_public\_access\_options) | Map of VPC Block Public Access Options e.g.:<br/><br/>  vpc\_block\_public\_access\_options = {<br/>    internet\_gateway\_block\_mode = "block-bidirectional"<br/>  }<br/><br/>  Currently only `internet_gateway_block_mode` is supported, for which<br/>  valid values are `block-bidirectional`, `block-ingress` and `off`. | `map(string)` | `{}` | no |
 | <a name="input_vpc_flow_log_iam_policy_name"></a> [vpc\_flow\_log\_iam\_policy\_name](#input\_vpc\_flow\_log\_iam\_policy\_name) | Name of the IAM policy | `string` | `"vpc-flow-log-to-cloudwatch"` | no |
 | <a name="input_vpc_flow_log_iam_policy_use_name_prefix"></a> [vpc\_flow\_log\_iam\_policy\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_vpc_flow_log_iam_role_name"></a> [vpc\_flow\_log\_iam\_role\_name](#input\_vpc\_flow\_log\_iam\_role\_name) | Name to use on the VPC Flow Log IAM role created | `string` | `"vpc-flow-log-role"` | no |

diff --git a/examples/block-public-access/README.md b/examples/block-public-access/README.md
@@ -22,8 +22,9 @@ This example defines VPC Block Public Access Exclusion at the subnet level, but
 
 - configure VPC Block Public Access Options e.g.:
 ```hcl
-  internet_gateway_block_enabled = true
-  internet_gateway_block_mode    = "block-bidirectional"
+  vpc_block_public_access_options = {
+    internet_gateway_block_mode = "block-bidirectional"
+  }
 ```
 
 - define VPC Block Public Access Exclusion at the VPC level e.g.:

diff --git a/examples/block-public-access/main.tf b/examples/block-public-access/main.tf
@@ -37,28 +37,28 @@ module "vpc" {
   }
 
   ### VPC Block Public Access Exclusion at the VPC level
-  # vpc_block_public_access_exclusions = {
-  #   exclude_vpc = {
-  #     exclude_vpc                     = true
-  #     internet_gateway_exclusion_mode = "allow-bidirectional"
-  #   }
-  # }
-
-  ### VPC Block Public Access Exclusion at the subnet level
   vpc_block_public_access_exclusions = {
-    exclude_subnet_private1 = {
-      exclude_subnet                  = true
-      subnet_type                     = "private"
-      subnet_index                    = 1
-      internet_gateway_exclusion_mode = "allow-egress"
-    }
-    exclude_subnet_private2 = {
-      exclude_subnet                  = true
-      subnet_type                     = "private"
-      subnet_index                    = 2
-      internet_gateway_exclusion_mode = "allow-egress"
+    exclude_vpc = {
+      exclude_vpc                     = true
+      internet_gateway_exclusion_mode = "allow-bidirectional"
     }
   }
 
+  ### VPC Block Public Access Exclusion at the subnet level
+  # vpc_block_public_access_exclusions = {
+  #   exclude_subnet_private1 = {
+  #     exclude_subnet                  = true
+  #     subnet_type                     = "private"
+  #     subnet_index                    = 1
+  #     internet_gateway_exclusion_mode = "allow-egress"
+  #   }
+  #   exclude_subnet_private2 = {
+  #     exclude_subnet                  = true
+  #     subnet_type                     = "private"
+  #     subnet_index                    = 2
+  #     internet_gateway_exclusion_mode = "allow-egress"
+  #   }
+  # }
+
   tags = local.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -117,13 +117,54 @@ variable "tags" {
 }
 
 variable "vpc_block_public_access_options" {
-  description = "Map of VPC Block Public Access Options"
+  description = <<EOF
+  Map of VPC Block Public Access Options e.g.:
+
+  vpc_block_public_access_options = {
+    internet_gateway_block_mode = "block-bidirectional"
+  }
+
+  Currently only `internet_gateway_block_mode` is supported, for which
+  valid values are `block-bidirectional`, `block-ingress` and `off`.
+  EOF
   type        = map(string)
   default     = {}
 }
 
 variable "vpc_block_public_access_exclusions" {
-  description = "List of VPC Block Public Access Exclusions"
+  description = <<EOF
+  List of VPC Block Public Access Exclusions e.g. to exclude the VPC:
+
+  vpc_block_public_access_exclusions = {
+    exclude_vpc = {
+      exclude_vpc                     = true
+      internet_gateway_exclusion_mode = "allow-bidirectional"
+    }
+  }
+
+  or to exclude specific subnets:
+
+  vpc_block_public_access_exclusions = {
+    exclude_subnet_private1 = {
+      exclude_subnet                  = true
+      subnet_type                     = "private"
+      subnet_index                    = 1
+      internet_gateway_exclusion_mode = "allow-egress"
+    }
+    exclude_subnet_private2 = {
+      exclude_subnet                  = true
+      subnet_type                     = "private"
+      subnet_index                    = 2
+      internet_gateway_exclusion_mode = "allow-egress"
+    }
+  }
+
+  One of `exclude_vpc` or `exclude_subnet` must be set to true.
+  Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`.
+  Value of `subnet_index` is the index of the subnet in the corresponding subnet list.
+  Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`.
+
+  EOF
   type        = map(any)
   default     = {}
 }