Skip to content

Module Structure

terraform-aws-arc-network

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Known Vulnerabilities

Introduction

SourceFuse's AWS Reference Architecture (ARC) Terraform module facilitates the management of AWS VPC and associated networking resources. It includes features like VPC creation, Client VPN, and VPC endpoints for services like S3 and DynamoDB, enhancing network connectivity and security.

For more information about this repository and its usage, please see Terraform AWS ARC Network Module Usage Guide.

arc_network_hla

Create the following resources in a single region.

  • VPC
  • Multi-AZ private and public subnets
  • Route tables, internet gateway, and NAT gateways
  • Configurable VPC Endpoints

Prerequisites

Before using this module, ensure you have the following:

  • AWS credentials configured.
  • Terraform installed.
  • A working knowledge of Terraform.

Usage

See the examples folder for a complete example.

module "network" {
  namespace   = var.namespace
  environment = var.environment

  name                    = "arc-poc"
  create_internet_geteway = true
  availability_zones      = ["us-east-1a", "us-east-1b", "us-east-1c"]
  cidr_block              = "10.0.0.0/16"
  vpc_endpoint_data = [
    {
      service            = "s3"
      route_table_filter = "private"
    },
    {
      service            = "dynamodb"
      route_table_filter = "private"
    }
  ]

  tags = module.tags.tags
}

custom-subnets example

module "network" {
  source                      = "sourcefuse/arc-network/aws"
  version                     = "3.0.0"

  namespace   = var.namespace
  environment = var.environment

  name                    = "arc-poc"
  create_internet_geteway = true
  subnet_map              = local.subnet_map
  cidr_block              = "10.0.0.0/16"
  vpc_endpoint_data = [
    {
      service            = "s3"
      route_table_filter = "private"
    },
    {
      service            = "dynamodb"
      route_table_filter = "private"
    }
  ]

  tags = module.tags.tags

}

locals {

  prefix = "arc-poc"

  subnet_map = {
    "${local.prefix}-public-az1" = {
      name                    = "${local.prefix}-public-az1"
      cidr_block              = "10.0.0.0/19"
      availability_zone       = "us-east-1a"
      nat_gateway_name        = "${local.prefix}-az1-ngtw01"
      attach_nat_gateway      = false
      create_nat_gateway      = true
      attach_internet_gateway = true
    },
    "${local.prefix}-public-az2" = {
      name                    = "${local.prefix}-public-az2"
      cidr_block              = "10.0.32.0/19"
      availability_zone       = "us-east-1b"
      nat_gateway_name        = "${local.prefix}-az2-ngtw01"
      attach_nat_gateway      = false
      create_nat_gateway      = true
      attach_internet_gateway = true
    },
    "${local.prefix}-db-az1" = {
      name                    = "${local.prefix}-db-az1"
      cidr_block              = "10.0.64.0/19"
      availability_zone       = "us-east-1a"
      nat_gateway_name        = "${local.prefix}-az1-ngtw01"
      attach_nat_gateway      = true
      create_nat_gateway      = false
      attach_internet_gateway = false
    },
    "${local.prefix}-db-az2" = {
      name                    = "${local.prefix}-db-az2"
      cidr_block              = "10.0.96.0/19"
      availability_zone       = "us-east-1b"
      nat_gateway_name        = "${local.prefix}-az2-ngtw01"
      attach_nat_gateway      = true
      create_nat_gateway      = false
      attach_internet_gateway = false
    },
    "${local.prefix}-app-az1" = {
      name                    = "${local.prefix}-app-az1"
      cidr_block              = "10.0.128.0/19"
      availability_zone       = "us-east-1a"
      nat_gateway_name        = "${local.prefix}-az1-ngtw01"
      attach_nat_gateway      = true
      create_nat_gateway      = false
      attach_internet_gateway = false
    },
    "${local.prefix}-app-az2" = {
      name                    = "${local.prefix}-app-az2"
      cidr_block              = "10.0.160.0/19"
      availability_zone       = "us-east-1b"
      nat_gateway_name        = "${local.prefix}-az2-ngtw01"
      attach_nat_gateway      = true
      create_nat_gateway      = false
      attach_internet_gateway = false
    }
  }
}

Requirements

Name Version
terraform >= 1.3, < 2.0.0
aws >= 4.0, < 6.0

Providers

Name Version
aws 5.75.0

Modules

Name Source Version
kms sourcefuse/arc-kms/aws 1.0.9

Resources

Name Type
aws_cloudwatch_log_group.this resource
aws_eip.nat_gw resource
aws_flow_log.this resource
aws_iam_policy.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.attach_flow_logs_policy resource
aws_internet_gateway.this resource
aws_nat_gateway.this resource
aws_route.additional resource
aws_route.internet_gw resource
aws_route.nat resource
aws_route_table.this resource
aws_route_table_association.additional resource
aws_route_table_association.this resource
aws_subnet.this resource
aws_vpc.this resource
aws_vpc_endpoint.this resource
aws_caller_identity.current data source
aws_iam_policy_document.assume data source
aws_iam_policy_document.flow_logs_policy data source
aws_region.current data source
aws_region.this data source
aws_route_tables.private data source
aws_route_tables.public data source

Inputs

Name Description Type Default Required
assign_generated_ipv6_cidr_block Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. bool false no
availability_zones (optional) List of availability zones , if subnet map is null , subnet map autimatically derived list(string) [] no
cidr_block The CIDR block for the VPC. string n/a yes
create_internet_geteway (optional) Whether to create internet gateway bool true no
enable_dns_hostnames A boolean flag to enable/disable DNS hostnames in the VPC. bool true no
enable_dns_support A boolean flag to enable/disable DNS support in the VPC. bool true no
enable_network_address_usage_metrics Enable or disable network address usage metrics. bool false no
environment Environmenr name string n/a yes
instance_tenancy A tenancy option for instances launched into the VPC. Can be 'default' or 'dedicated'. string "default" no
internet_geteway_name (optional) If the Internet Gateway name is not provided, it will be automatically derived. string null no
ipv4_ipam_pool_id The IPv4 IPAM pool ID from which to allocate the CIDR. string null no
ipv4_netmask_length The netmask length of the IPv4 CIDR block to allocate to the VPC. number null no
ipv6_cidr_block The IPv6 CIDR block to associate with your VPC. string null no
ipv6_cidr_block_network_border_group The network border group of the IPv6 CIDR block. string null no
ipv6_ipam_pool_id The IPv6 IPAM pool ID from which to allocate the CIDR. string null no
ipv6_netmask_length The netmask length of the IPv6 CIDR block to allocate to the VPC. number null no
kms_config n/a
object({
deletion_window_in_days = number
enable_key_rotation = bool
})
{
"deletion_window_in_days": 30,
"enable_key_rotation": true
}
no
name VPC name string n/a yes
namespace Namespace name string n/a yes
subnet_map A map defining the configuration of subnets, their attributes, and associated resources.
Each subnet configuration can include the following details:

- name: Name of the subnet.
- cidr_block: CIDR block for the subnet.
- availability_zone: The availability zone where the subnet is located.
- enable_resource_name_dns_a_record_on_launch: Enable or disable DNS A records for EC2 instances launched in this subnet (default: false).
- enable_resource_name_dns_aaaa_record_on_launch: Enable or disable DNS AAAA records for EC2 instances launched in this subnet (default: false).
- map_public_ip_on_launch: Specify whether to auto-assign a public IP for instances in this subnet (default: false).
- ipv6_native: Enable or disable native IPv6 support for the subnet (default: false).
- assign_ipv6_address_on_creation: Whether to automatically assign an IPv6 address to instances launched in the subnet (default: false).
- ipv6_cidr_block: The IPv6 CIDR block associated with the subnet (optional).
- enable_dns64: Enable or disable DNS64 in the subnet (default: false).
- nat_gateway_name: Name of the NAT Gateway attached to the subnet (optional).
- create_nat_gateway: Specify whether to create a NAT Gateway for the subnet (default: true).
- attach_nat_gateway: Specify whether to attach an existing NAT Gateway to the subnet (default: false).
- attach_internet_gateway: Specify whether to attach an Internet Gateway to the subnet (default: false).
- additional_routes: List of additional routes to be added to the subnet route table, typically to route traffic to other services like Transit Gateway. Each route includes:
- type: Type of resource (default: "transit-gateway").
- id: The ID of the route target (e.g., a Transit Gateway ID).
- cidr_block: The destination CIDR block for the route.
- destination_ipv6_cidr_block: The destination IPV6 CIDR block for the route.
map(object({
name = string
cidr_block = string
availability_zone = string
enable_resource_name_dns_a_record_on_launch = optional(bool, false)
enable_resource_name_dns_aaaa_record_on_launch = optional(bool, false)
map_public_ip_on_launch = optional(bool, false)
ipv6_native = optional(bool, false)
assign_ipv6_address_on_creation = optional(bool, false)
ipv6_cidr_block = optional(string, null)
enable_dns64 = optional(bool, false)
nat_gateway_name = optional(string, null)
create_nat_gateway = optional(bool, true)
attach_nat_gateway = optional(bool, false)
attach_internet_gateway = optional(bool, false)
additional_routes = optional(list(object({
type = optional(string, "transit-gateway") // possible values : network-interface ,transit-gateway, vpc-endpoint, vpc-peering-connection
id = string
destination_cidr_block = optional(string, null)
destination_ipv6_cidr_block = optional(string, null)
}
)), [])
}))
null no
tags (optional) Tags for VPC resources map(string) {} no
vpc_endpoint_data (optional) List of VPC endpoints to be created
list(object({
service = string
route_table_filter = optional(string, "private") // possible values 'private' and 'public'
policy_doc = optional(string, null)
private_dns_enabled = optional(bool, false)
security_group_ids = optional(list(string), [])
}))
[] no
vpc_flow_log_config If s3_bucket_arn is null, only CloudWatch logging is enabled by default. If s3_bucket_arn is provided, S3 logging is enabled.
object({
enable = bool
retention_in_days = number
s3_bucket_arn = string
})
{
"enable": true,
"retention_in_days": 7,
"s3_bucket_arn": null
}
no

Outputs

Name Description
default_route_table_id The Default Route Table ID for the VPC
id The VPC ID
igw_id Internet gateway ID for the VPC
main_route_table_id The Main Route Table ID for the VPC
private_subnet_ids Private subnet IDs
public_subnet_ids Public subnet IDs
vpc_cidr The VPC CIDR block
vpc_default_network_acl_id The ID of the network ACL created by default on VPC creation
vpn_endpoint_arn The ARN of the Client VPN Endpoint Connection.

Development

Prerequisites

Configurations

  • Configure pre-commit hooks
    pre-commit install
    
  • Configure golang deps for tests
    go get github.com/gruntwork-io/terratest/modules/terraform
    go get github.com/stretchr/testify/assert
    

Git commits

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly

Tests

  • Tests are available in test directory
  • In the test directory, run the below command
    go test -timeout 1800s
    

Authors

This project is authored by: - SourceFuse