UPD: took back the last change, subnet cidrs are now calculated by this module. See README.md for more details
This commit is contained in:
parent
154ee2a0eb
commit
15942ee76c
@ -1,4 +1,5 @@
|
||||
# Overview
|
||||
|
||||
This module performs the following tasks:
|
||||
|
||||
- Create VPC, vpcflow log
|
||||
@ -6,41 +7,46 @@ This module performs the following tasks:
|
||||
- Create IGW, NGW
|
||||
|
||||
## Subnet addressing
|
||||
This module takes in the VPC cidr. Then add 4 bits to the netmask and divide the cidr into 2 ranges.
|
||||
First range will be used for private subnet and second for public subnets.
|
||||
Another 4 bits are added to these ranges for each subnet.
|
||||
|
||||
For example, if the VPC cidr is 10.2.0.0/16, the following subnets will be created:
|
||||
Subnet cidrs are calculated automatically. Due to the design of terraform's cidrsubnets, this module has limitations:
|
||||
|
||||
| Subnet Type | Subnet AZ1 | Subnet AZ2 | Subnet AZ3 |
|
||||
|-------------|------------|------------|------------|
|
||||
| Private | 10.2.0.0/24 | 10.2.1.0/24 | 10.2.2.0/24 |
|
||||
| Public | 10.2.16.0/24 | 10.2.17.0/24 | 10.2.18.0/24 |
|
||||
* supports 2, 4, 6, or 8 subnets in total.
|
||||
* hard-coded to work with 2 AZs, regardless of number of AZs available in the region.
|
||||
|
||||
The VPC cidr netmask should be /20 or above, to produce subnets with /28 netmasks or above.
|
||||
Subnet smaller than /28 is unlikely useful.
|
||||
Based on the input variables, it will create subnet cidrs using the following function
|
||||
|
||||
| Private Subnets per az | Public Subnets per az | Function | Example if a /24 is used on VPC |
|
||||
| ---------------------- | --------------------- | -------------------------------------------- | ------------------------------- |
|
||||
| 1 | 0 | cidrsubnets(local.vpc-cidr, 1,1) | 2 * /25 |
|
||||
| 1 | 1 | cidrsubnets(local.vpc-cidr, 2,2,2,2) | 4 * /26 |
|
||||
| 2 | 1 | cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) | 6 * /27 |
|
||||
| 2 | 2 | cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) | 8 * /28 |
|
||||
|
||||
simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null
|
||||
|
||||
## Inputs:
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:-----:|
|
||||
| application | name of application | string | none | yes |
|
||||
| environment | capacity of environment (prd/dev/lab) | string | none | yes |
|
||||
| customer-name | owner of aws resources | string | none | yes |
|
||||
| project | name of project | string | none | yes |
|
||||
| default-tags | tags to be added to resources | list | none | yes |
|
||||
| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes |
|
||||
| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes |
|
||||
| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes |
|
||||
| vpc-cidr | VPC cidr | string | none | yes |
|
||||
| enable-flowlog | whether to enable vpc flowlog | bool | true | yes |
|
||||
| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes |
|
||||
| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
|
||||
| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes |
|
||||
| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes |
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
| -------------------------------- | ------------------------------------------------- | ------ | ------- |:--------:|
|
||||
| application | name of application | string | none | yes |
|
||||
| environment | capacity of environment (prd/dev/lab) | string | none | yes |
|
||||
| customer-name | owner of aws resources | string | none | yes |
|
||||
| project | name of project | string | none | yes |
|
||||
| default-tags | tags to be added to resources | list | none | yes |
|
||||
| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes |
|
||||
| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes |
|
||||
| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes |
|
||||
| vpc-cidr | VPC cidr | string | none | yes |
|
||||
| enable-flowlog | whether to enable vpc flowlog | bool | true | yes |
|
||||
| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes |
|
||||
| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
|
||||
| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes |
|
||||
| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes |
|
||||
|
||||
## Outputs:
|
||||
| Name | Description | Type |
|
||||
|------|-------------|------|
|
||||
| vpc_id | vpc id | string |
|
||||
| public_subnets | list of cidr blocks | list |
|
||||
| private_subnets | list of cidr blocks | list |
|
||||
|
||||
| Name | Description | Type |
|
||||
| --------------- | ------------------- | ------ |
|
||||
| vpc_id | vpc id | string |
|
||||
| public_subnets | list of cidr blocks | list |
|
||||
| private_subnets | list of cidr blocks | list |
|
||||
|
@ -11,7 +11,7 @@ locals {
|
||||
|
||||
# VPC variables
|
||||
variable "vpc-cidr" {}
|
||||
/*
|
||||
|
||||
variable number-of-public-subnets-per-az {
|
||||
type = number
|
||||
default = 0
|
||||
@ -20,7 +20,7 @@ variable number-of-private-subnets-per-az {
|
||||
type = number
|
||||
default = 0
|
||||
}
|
||||
*/
|
||||
|
||||
variable "create-nat-gateway" {
|
||||
type = bool
|
||||
default = false
|
||||
@ -34,8 +34,8 @@ variable "vpcflowlog-retain-days" {
|
||||
default = 90
|
||||
}
|
||||
variable "vpcflowlog-cwl-loggroup-key-arn" {}
|
||||
variable "private-subnet-cidrs" {}
|
||||
variable "public-subnet-cidrs" {}
|
||||
# variable "private-subnet-cidrs" {}
|
||||
# variable "public-subnet-cidrs" {}
|
||||
variable "create-free-vpc-endpoints" {
|
||||
type = bool
|
||||
default = true
|
||||
|
@ -3,16 +3,26 @@ data "aws_availability_zones" "available-az" {
|
||||
}
|
||||
|
||||
locals {
|
||||
subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2
|
||||
// subnet_start = cidrsubnets(var.vpc-cidr, 1, 1) # divide vpc into 2
|
||||
# no-az = length(data.aws_availability_zones.available-az.id)
|
||||
no-az = 2 # hard-coding to 2AZ
|
||||
vpc-cidr = var.vpc-cidr
|
||||
total-no-subnets = local.no-az * (var.number-of-private-subnets-per-az + var.number-of-public-subnets-per-az)
|
||||
|
||||
simple-divide = local.total-no-subnets >=8 ? cidrsubnets(local.vpc-cidr, 4,4,4,4,4,4,4,4) : local.total-no-subnets >=6 ? cidrsubnets(local.vpc-cidr, 3,3,3,3,3,3) : local.total-no-subnets >=4 ? cidrsubnets(local.vpc-cidr, 2,2,2,2) : local.total-no-subnets >=2 ? cidrsubnets(local.vpc-cidr, 1,1) : null
|
||||
public-subnets = slice(local.simple-divide, 0, var.number-of-public-subnets-per-az * local.no-az)
|
||||
private-subnets = slice(local.simple-divide, var.number-of-public-subnets-per-az * local.no-az , local.total-no-subnets)
|
||||
}
|
||||
|
||||
resource aws_subnet private-subnets {
|
||||
count = length(var.private-subnet-cidrs)
|
||||
count = length(local.private-subnets)
|
||||
# count = length(var.private-subnet-cidrs)
|
||||
# count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
|
||||
vpc_id = aws_vpc.vpc.id
|
||||
availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
|
||||
# cidr_block = cidrsubnet(local.subnet_start[0], 2, count.index)
|
||||
cidr_block = var.private-subnet-cidrs[count.index]
|
||||
# cidr_block = var.private-subnet-cidrs[count.index]
|
||||
cidr_block = local.private-subnets[count.index]
|
||||
tags = merge(
|
||||
var.default-tags,
|
||||
{
|
||||
@ -22,12 +32,14 @@ resource aws_subnet private-subnets {
|
||||
}
|
||||
|
||||
resource aws_subnet public-subnets {
|
||||
count = length(var.public-subnet-cidrs)
|
||||
count = length(local.public-subnets)
|
||||
# count = length(var.public-subnet-cidrs)
|
||||
# count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
|
||||
vpc_id = aws_vpc.vpc.id
|
||||
availability_zone = element(data.aws_availability_zones.available-az.names, count.index)
|
||||
# cidr_block = cidrsubnet(local.subnet_start[1], 2, count.index)
|
||||
cidr_block = var.public-subnet-cidrs[count.index]
|
||||
# cidr_block = var.public-subnet-cidrs[count.index]
|
||||
cidr_block = local.public-subnets[count.index]
|
||||
tags = merge(
|
||||
var.default-tags,
|
||||
{
|
||||
@ -54,7 +66,7 @@ resource "aws_vpc" "vpc" {
|
||||
}
|
||||
|
||||
resource "aws_internet_gateway" "igw" {
|
||||
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
|
||||
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
|
||||
vpc_id = aws_vpc.vpc.id
|
||||
|
||||
tags = merge(
|
||||
@ -88,7 +100,7 @@ resource "aws_nat_gateway" "ngw" {
|
||||
}
|
||||
|
||||
resource aws_route_table public-route-table {
|
||||
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
|
||||
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
|
||||
vpc_id = aws_vpc.vpc.id
|
||||
tags = merge(
|
||||
var.default-tags,
|
||||
@ -99,7 +111,7 @@ resource aws_route_table public-route-table {
|
||||
}
|
||||
|
||||
resource aws_route_table private-route-table {
|
||||
count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
|
||||
count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
|
||||
vpc_id = aws_vpc.vpc.id
|
||||
tags = merge(
|
||||
var.default-tags,
|
||||
@ -110,7 +122,7 @@ resource aws_route_table private-route-table {
|
||||
}
|
||||
|
||||
resource "aws_route" "public-routes" {
|
||||
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
|
||||
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
|
||||
|
||||
destination_cidr_block = "0.0.0.0/0"
|
||||
gateway_id = aws_internet_gateway.igw[0].id
|
||||
@ -118,7 +130,7 @@ resource "aws_route" "public-routes" {
|
||||
}
|
||||
|
||||
resource "aws_route" "private-routes" {
|
||||
count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0
|
||||
count = var.number-of-private-subnets-per-az > 0 && var.create-nat-gateway ? 1 : 0
|
||||
|
||||
destination_cidr_block = "0.0.0.0/0"
|
||||
nat_gateway_id = aws_nat_gateway.ngw[0].id
|
||||
|
Loading…
Reference in New Issue
Block a user