UPD: VPC module now requires cidr ranges to be supplied in root module. Created adconnector module

modules/networking/vpc_subnets/variables.tf

@@ -6,11 +6,12 @@ variable "default-tags" {}
 variable "aws-region" {}
 
 locals {
-  resource-prefix = "${var.environment}-${substr(var.aws-region,0,2)}-${var.customer-name}-${var.project}"
+  resource-prefix = "${var.environment}-${substr(var.aws-region, 0, 2)}-${var.customer-name}-${var.project}"
 }
 
 # VPC variables
-variable vpc-cidr {}
+variable "vpc-cidr" {}
+/*
 variable number-of-public-subnets-per-az {
   type = number
   default = 0
@@ -19,16 +20,23 @@ variable number-of-private-subnets-per-az {
   type = number
   default = 0
 }
-variable create-nat-gateway {
-  type = bool
+*/
+variable "create-nat-gateway" {
+  type    = bool
   default = false
 }
-variable enable-flow-log {
-  type = bool
+variable "enable-flow-log" {
+  type    = bool
   default = true
 }
-variable vpcflowlog-retain-days {
-  type = number
+variable "vpcflowlog-retain-days" {
+  type    = number
   default = 90
 }
-variable vpcflowlog-cwl-loggroup-key-arn {}
+variable "vpcflowlog-cwl-loggroup-key-arn" {}
+variable "private-subnet-cidrs" {}
+variable "public-subnet-cidrs" {}
+variable "create-free-vpc-endpoints" {
+  type    = bool
+  default = true
+}

modules/networking/vpc_subnets/vpc.tf

@@ -3,14 +3,16 @@ data "aws_availability_zones" "available-az" {
 }
 
 locals {
-  subnet_start = cidrsubnets(var.vpc-cidr, 4, 4)
+  subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2
 }
 
 resource aws_subnet private-subnets {
-  count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
+  count = length(var.private-subnet-cidrs)
+  # count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
   vpc_id = aws_vpc.vpc.id
   availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
-  cidr_block = cidrsubnet(local.subnet_start[0], 4, count.index)
+  # cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index)
+  cidr_block = var.private-subnet-cidrs[count.index]
   tags = merge(
   var.default-tags,
   {
@@ -20,10 +22,12 @@ resource aws_subnet private-subnets {
 }
 
 resource aws_subnet public-subnets {
-  count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
+  count = length(var.public-subnet-cidrs)
+  # count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
   vpc_id = aws_vpc.vpc.id
   availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
-  cidr_block = cidrsubnet(local.subnet_start[1], 4, count.index)
+  # cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index)
+  cidr_block = var.public-subnet-cidrs[count.index]
   tags = merge(
   var.default-tags,
   {
@@ -50,7 +54,7 @@ resource "aws_vpc" "vpc" {
 }
 
 resource "aws_internet_gateway" "igw" {
-  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+  count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
   vpc_id = aws_vpc.vpc.id
 
   tags = merge(
@@ -84,7 +88,7 @@ resource "aws_nat_gateway" "ngw" {
 }
 
 resource aws_route_table public-route-table {
-  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+  count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
   vpc_id = aws_vpc.vpc.id
   tags = merge(
   var.default-tags,
@@ -95,7 +99,7 @@ resource aws_route_table public-route-table {
 }
 
 resource aws_route_table private-route-table {
-  count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
+  count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
   vpc_id = aws_vpc.vpc.id
   tags = merge(
   var.default-tags,
@@ -106,7 +110,7 @@ resource aws_route_table private-route-table {
 }
 
 resource "aws_route" "public-routes" {
-  count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
+  count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
 
   destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.igw[0].id
@@ -114,7 +118,7 @@ resource "aws_route" "public-routes" {
 }
 
 resource "aws_route" "private-routes" {
-  count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
+  count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0
 
   destination_cidr_block = "0.0.0.0/0"
   nat_gateway_id         = aws_nat_gateway.ngw[0].id
@@ -145,12 +149,14 @@ resource "aws_default_security_group" default-sg {
     self = true
     from_port = 0
     to_port = 0
+    description = "Allow traffic coming from this SG"
   }
   egress {
     from_port = 0
     protocol = -1
     to_port = 0
     self = true
+    description = "Allow traffic going to this SG"
   }
   tags = merge(
   var.default-tags,
@@ -162,6 +168,7 @@ resource "aws_default_security_group" default-sg {
 
 # Enable gateway endpoints which are free
 module vpc-ep {
+  count = var.create-free-vpc-endpoints ? 1 : 0
   source = "../vpc-endpoints"
 
   default-tags          = var.default-tags

modules/security_identity_compliance/ds-adconnector/main.tf

@@ -0,0 +1,18 @@
+
+resource "aws_directory_service_directory" "connector" {
+  name        = var.adc-domainname
+  alias       = var.adc-alias # required by enable-sso
+  enable_sso  = var.adc-enable-sso
+  password    = var.adc-service-account-password
+  size        = var.adc-size
+  type        = "ADConnector"
+  description = "ADConnector"
+  tags        = var.default-tags
+
+  connect_settings {
+    customer_dns_ips  = var.adc-dns-ips
+    customer_username = var.adc-service-account-username
+    subnet_ids        = var.adc-subnet-ids
+    vpc_id            = var.adc-vpc-id
+  }
+}

modules/security_identity_compliance/ds-adconnector/outputs.tf

@@ -0,0 +1,11 @@
+output directory-id {
+  value = aws_directory_service_directory.connector.id
+}
+
+output security-group-id {
+  value = aws_directory_service_directory.connector.security_group_id
+}
+
+output connect-settings {
+  value = aws_directory_service_directory.connector.connect_settings
+}

modules/security_identity_compliance/ds-adconnector/variables.tf

@@ -0,0 +1,10 @@
+variable "adc-domainname" {}
+variable "adc-service-account-password" {}
+variable "adc-size" {}
+variable "adc-dns-ips" {}
+variable "adc-service-account-username" {}
+variable "adc-subnet-ids" {}
+variable "adc-vpc-id" {}
+variable "adc-alias" {}
+variable "adc-enable-sso" {}
+variable "default-tags" {}