From 15942ee76c0595c76af74aec7aec687b1264b44f Mon Sep 17 00:00:00 2001 From: xpk Date: Mon, 12 Dec 2022 12:56:33 +0800 Subject: [PATCH] UPD: took back the last change, subnet cidrs are now calculated by this module. See README.md for more details --- modules/networking/vpc_subnets/README.md | 68 +++++++++++---------- modules/networking/vpc_subnets/variables.tf | 8 +-- modules/networking/vpc_subnets/vpc.tf | 32 +++++++--- 3 files changed, 63 insertions(+), 45 deletions(-) diff --git a/modules/networking/vpc_subnets/README.md b/modules/networking/vpc_subnets/README.md index 516548c..d7923c9 100644 --- a/modules/networking/vpc_subnets/README.md +++ b/modules/networking/vpc_subnets/README.md @@ -1,4 +1,5 @@ # Overview + This module performs the following tasks: - Create VPC, vpcflow log @@ -6,41 +7,46 @@ This module performs the following tasks: - Create IGW, NGW ## Subnet addressing -This module takes in the VPC cidr. Then add 4 bits to the netmask and divide the cidr into 2 ranges. -First range will be used for private subnet and second for public subnets. -Another 4 bits are added to these ranges for each subnet. -For example, if the VPC cidr is 10.2.0.0/16, the following subnets will be created: +Subnet cidrs are calculated automatically. Due to the design of terraform's cidrsubnets, this module has limitations: -| Subnet Type | Subnet AZ1 | Subnet AZ2 | Subnet AZ3 | -|-------------|------------|------------|------------| -| Private | 10.2.0.0/24 | 10.2.1.0/24 | 10.2.2.0/24 | -| Public | 10.2.16.0/24 | 10.2.17.0/24 | 10.2.18.0/24 | +* supports 2, 4, 6, or 8 subnets in total. +* hard-coded to work with 2 AZs, regardless of number of AZs available in the region. -The VPC cidr netmask should be /20 or above, to produce subnets with /28 netmasks or above. -Subnet smaller than /28 is unlikely useful. +Based on the input variables, it will create subnet cidrs using the following function + +| Private Subnets per az | Public Subnets per az | Function | Example if a /24 is used on VPC | +| ---------------------- | --------------------- | -------------------------------------------- | ------------------------------- | +| 1 | 0 | cidrsubnets(local.vpc-cidr, 1,1) | 2 * /25 | +| 1 | 1 | cidrsubnets(local.vpc-cidr, 2,2,2,2) | 4 * /26 | +| 2 | 1 | cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) | 6 * /27 | +| 2 | 2 | cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) | 8 * /28 | + +simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null ## Inputs: -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:-----:| -| application | name of application | string | none | yes | -| environment | capacity of environment (prd/dev/lab) | string | none | yes | -| customer-name | owner of aws resources | string | none | yes | -| project | name of project | string | none | yes | -| default-tags | tags to be added to resources | list | none | yes | -| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes | -| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes | -| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes | -| vpc-cidr | VPC cidr | string | none | yes | -| enable-flowlog | whether to enable vpc flowlog | bool | true | yes | -| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes | -| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | -| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes | -| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes | + +| Name | Description | Type | Default | Required | +| -------------------------------- | ------------------------------------------------- | ------ | ------- |:--------:| +| application | name of application | string | none | yes | +| environment | capacity of environment (prd/dev/lab) | string | none | yes | +| customer-name | owner of aws resources | string | none | yes | +| project | name of project | string | none | yes | +| default-tags | tags to be added to resources | list | none | yes | +| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes | +| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes | +| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes | +| vpc-cidr | VPC cidr | string | none | yes | +| enable-flowlog | whether to enable vpc flowlog | bool | true | yes | +| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes | +| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | +| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes | +| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes | ## Outputs: -| Name | Description | Type | -|------|-------------|------| -| vpc_id | vpc id | string | -| public_subnets | list of cidr blocks | list | -| private_subnets | list of cidr blocks | list | + +| Name | Description | Type | +| --------------- | ------------------- | ------ | +| vpc_id | vpc id | string | +| public_subnets | list of cidr blocks | list | +| private_subnets | list of cidr blocks | list | diff --git a/modules/networking/vpc_subnets/variables.tf b/modules/networking/vpc_subnets/variables.tf index ecf85a9..6ef6931 100644 --- a/modules/networking/vpc_subnets/variables.tf +++ b/modules/networking/vpc_subnets/variables.tf @@ -11,7 +11,7 @@ locals { # VPC variables variable "vpc-cidr" {} -/* + variable number-of-public-subnets-per-az { type = number default = 0 @@ -20,7 +20,7 @@ variable number-of-private-subnets-per-az { type = number default = 0 } -*/ + variable "create-nat-gateway" { type = bool default = false @@ -34,8 +34,8 @@ variable "vpcflowlog-retain-days" { default = 90 } variable "vpcflowlog-cwl-loggroup-key-arn" {} -variable "private-subnet-cidrs" {} -variable "public-subnet-cidrs" {} +# variable "private-subnet-cidrs" {} +# variable "public-subnet-cidrs" {} variable "create-free-vpc-endpoints" { type = bool default = true diff --git a/modules/networking/vpc_subnets/vpc.tf b/modules/networking/vpc_subnets/vpc.tf index fa18d33..94f891c 100644 --- a/modules/networking/vpc_subnets/vpc.tf +++ b/modules/networking/vpc_subnets/vpc.tf @@ -3,16 +3,26 @@ data "aws_availability_zones" "available-az" { } locals { - subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2 + // subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2 + # no-az = length(data.aws_availability_zones.available-az.id) + no-az = 2 # hard-coding to 2AZ + vpc-cidr = var.vpc-cidr + total-no-subnets = local.no-az * (var.number-of-private-subnets-per-az + var.number-of-public-subnets-per-az) + + simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null + public-subnets = slice(local.simple-divide, 0, var.number-of-public-subnets-per-az * local.no-az) + private-subnets = slice(local.simple-divide, var.number-of-public-subnets-per-az * local.no-az , local.total-no-subnets) } resource aws_subnet private-subnets { - count = length(var.private-subnet-cidrs) + count = length(local.private-subnets) + # count = length(var.private-subnet-cidrs) # count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) vpc_id = aws_vpc.vpc.id availability_zone = element(data.aws_availability_zones.available-az.names, count.index) # cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index) - cidr_block = var.private-subnet-cidrs[count.index] + # cidr_block = var.private-subnet-cidrs[count.index] + cidr_block = local.private-subnets[count.index] tags = merge( var.default-tags, { @@ -22,12 +32,14 @@ resource aws_subnet private-subnets { } resource aws_subnet public-subnets { - count = length(var.public-subnet-cidrs) + count = length(local.public-subnets) + # count = length(var.public-subnet-cidrs) # count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) vpc_id = aws_vpc.vpc.id availability_zone = element(data.aws_availability_zones.available-az.names, count.index) # cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index) - cidr_block = var.public-subnet-cidrs[count.index] + # cidr_block = var.public-subnet-cidrs[count.index] + cidr_block = local.public-subnets[count.index] tags = merge( var.default-tags, { @@ -54,7 +66,7 @@ resource "aws_vpc" "vpc" { } resource "aws_internet_gateway" "igw" { - count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 + count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( @@ -88,7 +100,7 @@ resource "aws_nat_gateway" "ngw" { } resource aws_route_table public-route-table { - count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 + count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( var.default-tags, @@ -99,7 +111,7 @@ resource aws_route_table public-route-table { } resource aws_route_table private-route-table { - count = length(var.private-subnet-cidrs) > 0 ? 1 : 0 + count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 vpc_id = aws_vpc.vpc.id tags = merge( var.default-tags, @@ -110,7 +122,7 @@ resource aws_route_table private-route-table { } resource "aws_route" "public-routes" { - count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 + count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw[0].id @@ -118,7 +130,7 @@ resource "aws_route" "public-routes" { } resource "aws_route" "private-routes" { - count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0 + count = var.number-of-private-subnets-per-az > 0 && var.create-nat-gateway ? 1 : 0 destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.ngw[0].id