UPD: took back the last change, subnet cidrs are now calculated by this module. See README.md for more details

This commit is contained in:
xpk 2022-12-12 12:56:33 +08:00
parent 154ee2a0eb
commit 15942ee76c
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
3 changed files with 63 additions and 45 deletions

View File

@ -1,4 +1,5 @@
# Overview # Overview
This module performs the following tasks: This module performs the following tasks:
- Create VPC, vpcflow log - Create VPC, vpcflow log
@ -6,41 +7,46 @@ This module performs the following tasks:
- Create IGW, NGW - Create IGW, NGW
## Subnet addressing ## Subnet addressing
This module takes in the VPC cidr. Then add 4 bits to the netmask and divide the cidr into 2 ranges.
First range will be used for private subnet and second for public subnets.
Another 4 bits are added to these ranges for each subnet.
For example, if the VPC cidr is 10.2.0.0/16, the following subnets will be created: Subnet cidrs are calculated automatically. Due to the design of terraform's cidrsubnets, this module has limitations:
| Subnet Type | Subnet AZ1 | Subnet AZ2 | Subnet AZ3 | * supports 2, 4, 6, or 8 subnets in total.
|-------------|------------|------------|------------| * hard-coded to work with 2 AZs, regardless of number of AZs available in the region.
| Private | 10.2.0.0/24 | 10.2.1.0/24 | 10.2.2.0/24 |
| Public | 10.2.16.0/24 | 10.2.17.0/24 | 10.2.18.0/24 |
The VPC cidr netmask should be /20 or above, to produce subnets with /28 netmasks or above. Based on the input variables, it will create subnet cidrs using the following function
Subnet smaller than /28 is unlikely useful.
| Private Subnets per az | Public Subnets per az | Function | Example if a /24 is used on VPC |
| ---------------------- | --------------------- | -------------------------------------------- | ------------------------------- |
| 1 | 0 | cidrsubnets(local.vpc-cidr, 1,1) | 2 * /25 |
| 1 | 1 | cidrsubnets(local.vpc-cidr, 2,2,2,2) | 4 * /26 |
| 2 | 1 | cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) | 6 * /27 |
| 2 | 2 | cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) | 8 * /28 |
simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null
## Inputs: ## Inputs:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:-----:| | Name | Description | Type | Default | Required |
| application | name of application | string | none | yes | | -------------------------------- | ------------------------------------------------- | ------ | ------- |:--------:|
| environment | capacity of environment (prd/dev/lab) | string | none | yes | | application | name of application | string | none | yes |
| customer-name | owner of aws resources | string | none | yes | | environment | capacity of environment (prd/dev/lab) | string | none | yes |
| project | name of project | string | none | yes | | customer-name | owner of aws resources | string | none | yes |
| default-tags | tags to be added to resources | list | none | yes | | project | name of project | string | none | yes |
| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes | | default-tags | tags to be added to resources | list | none | yes |
| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes | | number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes |
| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes | | number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes |
| vpc-cidr | VPC cidr | string | none | yes | | create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes |
| enable-flowlog | whether to enable vpc flowlog | bool | true | yes | | vpc-cidr | VPC cidr | string | none | yes |
| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes | | enable-flowlog | whether to enable vpc flowlog | bool | true | yes |
| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | | vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes |
| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes | | aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes | | aws-region | aws region (e.g. ap-northeast-1) | string | none | yes |
| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes |
## Outputs: ## Outputs:
| Name | Description | Type |
|------|-------------|------| | Name | Description | Type |
| vpc_id | vpc id | string | | --------------- | ------------------- | ------ |
| public_subnets | list of cidr blocks | list | | vpc_id | vpc id | string |
| private_subnets | list of cidr blocks | list | | public_subnets | list of cidr blocks | list |
| private_subnets | list of cidr blocks | list |

View File

@ -11,7 +11,7 @@ locals {
# VPC variables # VPC variables
variable "vpc-cidr" {} variable "vpc-cidr" {}
/*
variable number-of-public-subnets-per-az { variable number-of-public-subnets-per-az {
type = number type = number
default = 0 default = 0
@ -20,7 +20,7 @@ variable number-of-private-subnets-per-az {
type = number type = number
default = 0 default = 0
} }
*/
variable "create-nat-gateway" { variable "create-nat-gateway" {
type = bool type = bool
default = false default = false
@ -34,8 +34,8 @@ variable "vpcflowlog-retain-days" {
default = 90 default = 90
} }
variable "vpcflowlog-cwl-loggroup-key-arn" {} variable "vpcflowlog-cwl-loggroup-key-arn" {}
variable "private-subnet-cidrs" {} # variable "private-subnet-cidrs" {}
variable "public-subnet-cidrs" {} # variable "public-subnet-cidrs" {}
variable "create-free-vpc-endpoints" { variable "create-free-vpc-endpoints" {
type = bool type = bool
default = true default = true

View File

@ -3,16 +3,26 @@ data "aws_availability_zones" "available-az" {
} }
locals { locals {
subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2 // subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2
# no-az = length(data.aws_availability_zones.available-az.id)
no-az = 2 # hard-coding to 2AZ
vpc-cidr = var.vpc-cidr
total-no-subnets = local.no-az * (var.number-of-private-subnets-per-az + var.number-of-public-subnets-per-az)
simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null
public-subnets = slice(local.simple-divide, 0, var.number-of-public-subnets-per-az * local.no-az)
private-subnets = slice(local.simple-divide, var.number-of-public-subnets-per-az * local.no-az , local.total-no-subnets)
} }
resource aws_subnet private-subnets { resource aws_subnet private-subnets {
count = length(var.private-subnet-cidrs) count = length(local.private-subnets)
# count = length(var.private-subnet-cidrs)
# count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) # count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
availability_zone = element(data.aws_availability_zones.available-az.names, count.index) availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
# cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index) # cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index)
cidr_block = var.private-subnet-cidrs[count.index] # cidr_block = var.private-subnet-cidrs[count.index]
cidr_block = local.private-subnets[count.index]
tags = merge( tags = merge(
var.default-tags, var.default-tags,
{ {
@ -22,12 +32,14 @@ resource aws_subnet private-subnets {
} }
resource aws_subnet public-subnets { resource aws_subnet public-subnets {
count = length(var.public-subnet-cidrs) count = length(local.public-subnets)
# count = length(var.public-subnet-cidrs)
# count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) # count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
availability_zone = element(data.aws_availability_zones.available-az.names, count.index) availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
# cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index) # cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index)
cidr_block = var.public-subnet-cidrs[count.index] # cidr_block = var.public-subnet-cidrs[count.index]
cidr_block = local.public-subnets[count.index]
tags = merge( tags = merge(
var.default-tags, var.default-tags,
{ {
@ -54,7 +66,7 @@ resource "aws_vpc" "vpc" {
} }
resource "aws_internet_gateway" "igw" { resource "aws_internet_gateway" "igw" {
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
@ -88,7 +100,7 @@ resource "aws_nat_gateway" "ngw" {
} }
resource aws_route_table public-route-table { resource aws_route_table public-route-table {
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
var.default-tags, var.default-tags,
@ -99,7 +111,7 @@ resource aws_route_table public-route-table {
} }
resource aws_route_table private-route-table { resource aws_route_table private-route-table {
count = length(var.private-subnet-cidrs) > 0 ? 1 : 0 count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
var.default-tags, var.default-tags,
@ -110,7 +122,7 @@ resource aws_route_table private-route-table {
} }
resource "aws_route" "public-routes" { resource "aws_route" "public-routes" {
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
destination_cidr_block = "0.0.0.0/0" destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw[0].id gateway_id = aws_internet_gateway.igw[0].id
@ -118,7 +130,7 @@ resource "aws_route" "public-routes" {
} }
resource "aws_route" "private-routes" { resource "aws_route" "private-routes" {
count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0 count = var.number-of-private-subnets-per-az > 0 && var.create-nat-gateway ? 1 : 0
destination_cidr_block = "0.0.0.0/0" destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.ngw[0].id nat_gateway_id = aws_nat_gateway.ngw[0].id