Extend README, refactor variables and outputs

Author: sebastianczech

README.md

@@ -583,8 +583,8 @@ No modules.
 | <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_use_ipam_pool"></a> [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no |
-| <a name="input_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#input\_vpc\_block\_public\_access\_exclusions) | List of VPC Block Public Access Exclusions e.g. to exclude the VPC:<pre>vpc_block_public_access_exclusions = {<br/>    exclude_vpc = {<br/>      exclude_vpc                     = true<br/>      internet_gateway_exclusion_mode = "allow-bidirectional"<br/>    }<br/>  }</pre>or to exclude specific subnets:<pre>vpc_block_public_access_exclusions = {<br/>    exclude_subnet_private1 = {<br/>      exclude_subnet                  = true<br/>      subnet_type                     = "private"<br/>      subnet_index                    = 1<br/>      internet_gateway_exclusion_mode = "allow-egress"<br/>    }<br/>    exclude_subnet_private2 = {<br/>      exclude_subnet                  = true<br/>      subnet_type                     = "private"<br/>      subnet_index                    = 2<br/>      internet_gateway_exclusion_mode = "allow-egress"<br/>    }<br/>  }</pre>One of `exclude_vpc` or `exclude_subnet` must be set to true.<br/>  Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`.<br/>  Value of `subnet_index` is the index of the subnet in the corresponding subnet list.<br/>  Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`. | `map(any)` | `{}` | no |
-| <a name="input_vpc_block_public_access_options"></a> [vpc\_block\_public\_access\_options](#input\_vpc\_block\_public\_access\_options) | Map of VPC Block Public Access Options e.g.:<pre>vpc_block_public_access_options = {<br/>    internet_gateway_block_mode = "block-bidirectional"<br/>  }</pre>Currently only `internet_gateway_block_mode` is supported, for which<br/>  valid values are `block-bidirectional`, `block-ingress` and `off`. | `map(string)` | `{}` | no |
+| <a name="input_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#input\_vpc\_block\_public\_access\_exclusions) | A map of VPC block public access exclusions | `map(any)` | `{}` | no |
+| <a name="input_vpc_block_public_access_options"></a> [vpc\_block\_public\_access\_options](#input\_vpc\_block\_public\_access\_options) | A map of VPC block public access options | `map(string)` | `{}` | no |
 | <a name="input_vpc_flow_log_iam_policy_name"></a> [vpc\_flow\_log\_iam\_policy\_name](#input\_vpc\_flow\_log\_iam\_policy\_name) | Name of the IAM policy | `string` | `"vpc-flow-log-to-cloudwatch"` | no |
 | <a name="input_vpc_flow_log_iam_policy_use_name_prefix"></a> [vpc\_flow\_log\_iam\_policy\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix | `bool` | `true` | no |
 | <a name="input_vpc_flow_log_iam_role_name"></a> [vpc\_flow\_log\_iam\_role\_name](#input\_vpc\_flow\_log\_iam\_role\_name) | Name to use on the VPC Flow Log IAM role created | `string` | `"vpc-flow-log-role"` | no |
@@ -703,7 +703,7 @@ No modules.
 | <a name="output_vgw_arn"></a> [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway |
 | <a name="output_vgw_id"></a> [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway |
 | <a name="output_vpc_arn"></a> [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
-| <a name="output_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#output\_vpc\_block\_public\_access\_exclusions) | List of VPC block public access exclusions |
+| <a name="output_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#output\_vpc\_block\_public\_access\_exclusions) | A map of VPC block public access exclusions |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
 | <a name="output_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
 | <a name="output_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |

examples/block-public-access/README.md

@@ -18,13 +18,58 @@ $ terraform apply
 
 Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
 
-After deployment, VPC Block Public Access Options can be verified with the following command:
+In the example below, a map of VPC block public access options is configured:
+
+```
+vpc_block_public_access_options = {
+    internet_gateway_block_mode = "block-bidirectional"
+}
+```
+
+Currently only `internet_gateway_block_mode` is supported, for which valid values are `block-bidirectional`, `block-ingress` and `off`.
+
+VPC block public access exclusions can be applied at the VPC level e.g.:
+
+```
+vpc_block_public_access_exclusions = {
+    exclude_vpc = {
+        exclude_vpc                     = true
+        internet_gateway_exclusion_mode = "allow-bidirectional"
+    }
+}
+```
+
+or at the subnet level e.g.:
+
+```
+vpc_block_public_access_exclusions = {
+    exclude_subnet_private1 = {
+        exclude_subnet                  = true
+        subnet_type                     = "private"
+        subnet_index                    = 1
+        internet_gateway_exclusion_mode = "allow-egress"
+    }
+    exclude_subnet_private2 = {
+        exclude_subnet                  = true
+        subnet_type                     = "private"
+        subnet_index                    = 2
+        internet_gateway_exclusion_mode = "allow-egress"
+    }
+}
+```
+
+One of `exclude_vpc` or `exclude_subnet` must be set to true.
+Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`.
+Value of `subnet_index` is the index of the subnet in the corresponding subnet list.
+Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`.
+
+After deployment, VPC block public access options can be verified with the following command:
 
 ```bash
 aws ec2 --region eu-west-1 describe-vpc-block-public-access-options
 ```
 
-Similarly, VPC Block Public Access Exclusions can be checked by obtaining the exclusion ID from the Terraform output and running commands:
+Similarly, VPC block public access exclusions can be checked by obtaining the exclusion ID from the Terraform output and running commands:
 
 ```bash
 terraform output vpc_block_public_access_exclusions
@@ -159,7 +204,7 @@ No inputs.
 | <a name="output_vgw_arn"></a> [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway |
 | <a name="output_vgw_id"></a> [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway |
 | <a name="output_vpc_arn"></a> [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
-| <a name="output_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#output\_vpc\_block\_public\_access\_exclusions) | List of VPC block public access exclusions |
+| <a name="output_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#output\_vpc\_block\_public\_access\_exclusions) | A map of VPC block public access exclusions |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
 | <a name="output_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
 | <a name="output_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |

examples/block-public-access/outputs.tf

@@ -69,7 +69,7 @@ output "vpc_owner_id" {
 }
 
 output "vpc_block_public_access_exclusions" {
-  description = "List of VPC block public access exclusions"
+  description = "A map of VPC block public access exclusions"
   value       = module.vpc.vpc_block_public_access_exclusions
 }
 

outputs.tf

@@ -79,8 +79,8 @@ output "vpc_owner_id" {
 }
 
 output "vpc_block_public_access_exclusions" {
-  description = "List of VPC block public access exclusions"
-  value       = [for k, v in aws_vpc_block_public_access_exclusion.this : v.id]
+  description = "A map of VPC block public access exclusions"
+  value       = { for k, v in aws_vpc_block_public_access_exclusion.this : k => v.id }
 }
 
 ################################################################################

variables.tf

@@ -117,60 +117,13 @@ variable "tags" {
 }
 
 variable "vpc_block_public_access_options" {
-  description = <<EOF
-  Map of VPC Block Public Access Options e.g.:
-
-  ```
-  vpc_block_public_access_options = {
-    internet_gateway_block_mode = "block-bidirectional"
-  }
-  ```
-
-  Currently only `internet_gateway_block_mode` is supported, for which
-  valid values are `block-bidirectional`, `block-ingress` and `off`.
-  EOF
+  description = "A map of VPC block public access options"
   type        = map(string)
   default     = {}
 }
 
 variable "vpc_block_public_access_exclusions" {
-  description = <<EOF
-  List of VPC Block Public Access Exclusions e.g. to exclude the VPC:
-
-  ```
-  vpc_block_public_access_exclusions = {
-    exclude_vpc = {
-      exclude_vpc                     = true
-      internet_gateway_exclusion_mode = "allow-bidirectional"
-    }
-  }
-  ```
-
-  or to exclude specific subnets:
-
-  ```
-  vpc_block_public_access_exclusions = {
-    exclude_subnet_private1 = {
-      exclude_subnet                  = true
-      subnet_type                     = "private"
-      subnet_index                    = 1
-      internet_gateway_exclusion_mode = "allow-egress"
-    }
-    exclude_subnet_private2 = {
-      exclude_subnet                  = true
-      subnet_type                     = "private"
-      subnet_index                    = 2
-      internet_gateway_exclusion_mode = "allow-egress"
-    }
-  }
-  ```
-
-  One of `exclude_vpc` or `exclude_subnet` must be set to true.
-  Value of `subnet_type` can be `public`, `private`, `database`, `redshift`, `elasticache`, `intra` or `custom`.
-  Value of `subnet_index` is the index of the subnet in the corresponding subnet list.
-  Value of `internet_gateway_exclusion_mode` can be `allow-egress` and `allow-bidirectional`.
-
-  EOF
+  description = "A map of VPC block public access exclusions"
   type        = map(any)
   default     = {}
 }