AWS VPC Setup

The module creates a set of resources and configures VPC following a canonical scheme for secure multi-AZ AWS VPC.
The setup includes public and private subnets with NAT gateways and Internet Gateway in specified Avalability Zone(s).

Once you have a Corewide Solutions Portal account, this one-time action will use your browser session to retrieve credentials:

 shellterraform login solutions.corewide.com

Provision instructions

Initialize mandatory providers:

hashicorp/aws

Copy and paste into your Terraform configuration and insert the variables:

 hclmodule "tf_aws_vpc" {
  source  = "solutions.corewide.com/aws/tf-aws-vpc/aws"
  version = "~> 4.0.0"

  # specify module inputs here or try one of the examples below
  ...
}

Initialize the setup:

 shellterraform init

Define update strategy

Corewide DevOps team strictly follows Semantic Versioning Specification to provide our clients with products that have predictable upgrades between versions. We recommend pinning patch versions of our modules using pessimistic constraint operator (~>) to prevent breaking changes during upgrades.

To get new features during the upgrades (without breaking compatibility), use ~> 4.0 and run terraform init -upgrade

For the safest setup, use strict pinning with version = "4.0.0"

$500

BUY

285

License

v4.0.0 released 2 years ago

New version approx. every 12 weeks

Upgrade Notes

Changelog

All notable changes to this project are documented here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

v5.2.0 - 2024-12-09

Added

preset for canonical-lite networking setup, that limits the number of AZ covered, with a network scheme similar to canonical preset.

v5.1.1 - 2024-07-30

Fixed

duplicated subnet types in subnet names
compatibility issues when upgrading from 5.0 to 5.1 without defining per-subnet tags

v5.1.0 - 2024-03-20

Added

an option to specify additional tags per subnet

v5.0.0 - 2023-11-30

BREAKING CHANGE: resources naming style was changed to follow Terraform naming conventions, which is incompatible with previous versions. Upgrade from an older version is possible with manual changes, see Upgrade Notes section

Added

moved {} blocks for the following resources: aws_vpc, aws_internet_gateway, aws_route

Changed

naming principle for the following resources: aws_vpc, aws_internet_gateway, aws_route, aws_eip, aws_nat_gateway, aws_route_table, aws_route_table_association

v4.1.0 - 2023-07-25

Added

presets for commonly used networking setups: simple, canonical and advanced. advanced preset is set as default for compatibility with previous versions. Presets encapsulate configuration for popular network configuration scenarios and automatically calculate CIDRs for subnets
ha_enabled variable to toggle multi-zone feature for a particular preset (ignored for advanced one)
nat_enabled variable to toggle NAT configuration for canonical preset (ignored for others)
output for NAT GW IPs, convenient when third party services need to whitelist the IPs the project's traffic originates from

Changed

subnets variable is now optional and is only used with advanced preset
documentation now focuses on presets as the key feature of the module
module slug and URL

Removed

enable_dns_hostnames variable (deprecation notice expired)

v4.0.0 - 2023-06-15

BREAKING CHANGE: naming style for resources managed with for_each was changed. The new subnet management scheme is incompatible with previous versions. Upgrade from an older version is possible with manual changes, see Upgrade Notes section

Fixed

ability to create multiple subnets using a single subnet block

Added

nat_via argument for the subnets variable
validation for private and public subnets - can't create both public and private subnets using the same variable object
validation for public subnet - it cannot have both the CIDR block value and the public network suffix reference
validation rule for subnet naming

Changed

naming principle for resources managed with for_each
subnet definition and setting method
subnets variable type from list(object) to map(object)
updated TF AWS provider dependency - set major provider version 5.* and newer

v3.1.0 - 2023-02-22

(Last version compatible with Terraform AWS v4)

Added

dns_hostnames_enabled variable that will replace enable_dns_hostnames after two minor releases

Deprecated

enable_dns_hostnames variable in favor of dns_hostnames_enabled

v3.0.0 - 2023-01-18

BREAKING CHANGE: now all resources managed with for_each have corresponding names in the state instead of abstract indexed names; new naming scheme is incompatible with previous versions. Upgrade from an older version is possible with manual changes, see Upgrade Notes section

Added

validation of CIDR block for private and public subnets - at least one must be provided

Changed

naming principle for resources managed with for_each - aws_subnet, aws_eip, aws_nat_gateway, aws_route_table, aws_route_table_association
naming of outputs with subnets

v2.0.1 - 2022-10-18

Added

validation for name_prefix input to allow only alphanumeric characters, dashes, underscores and dots (only between the alphanumeric characters)

v2.0.0 - 2022-10-17

BREAKING CHANGE: now module inputs and resources management have fundamentally new concept. Upgrade from an older version is possible with manual changes, see Upgrade Notes section

Changed

allow to define the full VPC CIDR block
remove the dependency of subnets amount from availability zones amount and allow to define the details for each particular subnet independently
optimize the amount of created resources for the private segment of the VPC
updated TF AWS provider dependency - set major provider version 4.*
bump Terraform version to 1.3 and newer
format code in accordance with Terraform style conventions

v1.3.0 - 2021-09-20

(Last version compatible with Terraform AWS v3)

Added

enable_auto_assigning_ips variable (false by default)

Changed

update subnet tagging to provide more distinguishable names

v1.2.0 - 2021-09-20

Added

enable_dns_hostnames variable (true by default)

v1.1.0 - 2021-08-30

Added

enable_private_network variable (true by default)

Changed

make private subnets optional

v1.0.0 - 2021-08-02

First stable version

Added

at least one private and public subnet creation/management
one NAT GW per private subnet creation/management
one IGW per VPC creation/management

NOTE: Tags with cloud resources names will cause changes according to updated conditions in the code, but they are safe to apply

The module from v2.0 has changed inputs principles and handling of multiple resource copies from count meta-argument to for_each which aren't compatible with an old version. First, update declaration of module according to the requirements and examples in order to match designed VPC configuration, then re-init module and update naming in Terraform state of managed indexed resources.

From `v1.x` to `v2.x`

For example, the NAT gateway resource represented in the TF state file as:

module.vpc.aws_nat_gateway.nat_gw[0]

will become:

module.vpc.aws_nat_gateway.nat_gw["0"]

It's necessary to change state file accordingly:

 bashterraform state mv module.vpc.aws_nat_gateway.nat_gw[0] module.vpc.aws_nat_gateway.nat_gw[\"0\"]

From `v1.x` or `v2.x` to `v3.x`

The module v3.0 has changed keys naming design of resources managed with for_each which aren't compatible with an old version. First, re-init the module, then update naming in Terraform state of managed indexed resources.

As an example, the name_prefix variable is set to foo and the NAT gateway resource represented in the TF state file as follows:

module.vpc.aws_nat_gateway.nat_gw[0] - in v1.x

module.vpc.aws_subnet.public["0"] - in v2.x

the variable value will be added to the resource name in v3.x:

module.vpc.aws_nat_gateway.nat_gw["foo"]

The state file must be changed accordingly.

If the initial module version is v1.x:

 bashterraform state mv module.vpc.aws_nat_gateway.nat_gw[0] module.vpc.aws_nat_gateway.nat_gw[\"foo\"]

If the initial module version is v2.x:

 bashterraform state mv module.vpc.aws_nat_gateway.nat_gw[\"0\"] module.vpc.aws_nat_gateway.nat_gw[\"foo\"]

From `v3.x` to `v4.x`

The module v4.0 has changed the key naming design of resources managed with for_each. The private/public subnet management way changed as well. It makes the new module version incompatible with the previous one. First, re-init the module and change the subnet definition arguments according to the documentation and examples.

For example, the name_prefix variable is set to foo, subnets["name"] is bar and the NAT gateway resource represented in the TF state file as follows:

module.vpc.aws_nat_gateway.nat_gw["foo"]

the subnet name value will be added to the resource name:

module.vpc.aws_nat_gateway.nat_gw[\"foo-bar\"]

The state file should then be modified accordingly::

 bashterraform state mv module.vpc.aws_nat_gateway.nat_gw[\"foo\"] module.vpc.aws_nat_gateway.nat_gw[\"foo-bar\"]

From `v4.x` to `v5.x`

The module v5.0 has changed the key naming pattern of the following resources: aws_vpc, aws_internet_gateway, aws_route, aws_eip, aws_nat_gateway, aws_route_table, aws_route_table_association.

aws_vpc, aws_internet_gateway, aws_route resources are moved automatically with moved {} block, but other ones should be migrated manually.

For example, the name_prefix variable is set to foo, subnets["name"] is bar and the resources represented in the TF state file as follows:

module.vpc.aws_eip.elastic_ip[\"foo-bar\"]
module.vpc.aws_nat_gateway.nat_gw[\"foo-bar\"]
module.vpc.aws_route_table.private[\"foo-bar\"]
module.vpc.aws_route_table_association.private[\"foo-bar\"]

they will be changed to:

module.vpc.aws_eip.nat_gw[\"foo-bar\"]
module.vpc.aws_nat_gateway.main[\"foo-bar\"]
module.vpc.aws_route_table.private_subnet_to_nat_gw[\"foo-bar\"]
module.vpc.aws_route_table_association.private_subnet_to_nat_gw[\"foo-bar\"]

The state file then should be modified accordingly:

 bashterraform state mv module.vpc.aws_eip.elastic_ip[\"foo-bar\"] module.vpc.aws_eip.nat_gw[\"foo-bar\"]
terraform state mv module.vpc.aws_nat_gateway.nat_gw[\"foo-bar\"] module.vpc.aws_nat_gateway.main[\"foo-bar\"]
terraform state mv module.vpc.aws_route_table.private[\"foo-bar\"] module.vpc.aws_route_table.private_to_nat_gw[\"foo-bar\"]
terraform state mv module.vpc.aws_route_table_association.private[\"foo-bar\"] module.vpc.aws_route_table_association.private_to_nat_gw[\"foo-bar\"]

Canonical VPC setup with public and private segments of the network:

 hclmodule "vpc" {
  source  = "solutions.corewide.com/aws/tf-aws-vpc/aws"
  version = "~> 4.0"

  name_prefix = "foo"
  cidr_block  = "20.20.0.0/16"

  subnets = {
    private-1 = {
      availability_zone         = "us-east-1b"
      private_subnet_cidr_block = "20.20.6.0/24"
      #  Setup outgoing access to the Internet with NAT gateway
      nat_via = "public-1"
    },
    public-1 = {
      availability_zone        = "us-east-1b"
      public_subnet_cidr_block = "20.20.5.0/24"
    },
  }

  tags = {
    Project = "bar"
  }
}

Non-canonical VPC setup:

 hclmodule "vpc" {
  source  = "solutions.corewide.com/aws/tf-aws-vpc/aws"
  version = "~> 4.0"

  name_prefix = "foo"
  cidr_block  = "20.20.0.0/16"

  subnets = {
    private-1 = {
      availability_zone         = "us-east-1b"
      private_subnet_cidr_block = "20.20.6.0/24"
    },
    public-1 = {
      availability_zone        = "us-east-1b"
      public_subnet_cidr_block = "20.20.5.0/24"
    },
  }

  tags = {
    Project = "bar"
  }
}

Variable	Description	Type	Default	Required	Sensitive
`cidr_block`	The CIDR block for the VPC	`string`		yes	no
`name_prefix`	Naming prefix for all the resources created by the module	`string`		yes	no
`subnets`	Specific definitions for the subnets creation. Map keys are used as subnet names and values with further defined elements	`map(object)`		yes	no
`subnets[<key>]`	Subnet name	`string`		yes	no
`tags`	Tag(s) that must be assigned to resources	`map(string)`		yes	no
`dns_hostnames_enabled`	Enable/disable DNS hostnames for VPC	`bool`	`true`	no	no
`enable_dns_hostnames`	Enable/disable DNS hostnames for VPC (Deprecated in favour of \"dns_hostnames_enabled\" and will be deleted in the next few releases)	`bool`		no	no
`private_subnet_destination_cidr_block`	Allowed destination CIDR block for access from the public VPC segment	`string`	`0.0.0.0/0`	no	no
`public_subnet_destination_cidr_block`	Allowed destination CIDR block for access from the public VPC segment	`string`	`0.0.0.0/0`	no	no
`subnets[<key>].availability_zone`	Availability zone of the subnet	`string`		yes	no
`subnets[<key>].enable_auto_assigning_ips`	Defines that instances launched into the public subnet should be assigned a public IP address	`bool`	`true`	no	no
`subnets[<key>].nat_via`	Name of public subnet to create NAT GW in. Private network will use it for outgoing Internet traffic	`string`		no	no
`subnets[<key>].private_subnet_cidr_block`	The IPv4 CIDR block for the private subnet	`string`		no	no
`subnets[<key>].public_subnet_cidr_block`	The IPv4 CIDR block for the public subnet	`string`		no	no

Output	Description	Type	Sensitive
`private_subnets`	Contains attributes of private VPC segment	`resource`	no
`public_subnets`	Contains attributes of public VPC segment	`resource`	no
`vpc`	Contains attributes of `aws_vpc` resource	`resource`	no