UPD: Added multiaz support to VpcSubnet module
This commit is contained in:
parent
f9a4bca655
commit
c6614d4d48
@ -7,13 +7,6 @@ This module performs the following tasks:
|
|||||||
- Create IGW, NGW
|
- Create IGW, NGW
|
||||||
- Create s3 and ddb endpoints which are free
|
- Create s3 and ddb endpoints which are free
|
||||||
|
|
||||||
## Limitations
|
|
||||||
- Only 1 NAT gateway is supported with this module. MultiAZ support is work in progress
|
|
||||||
|
|
||||||
## Subnet addressing
|
|
||||||
|
|
||||||
Subnet cidrs needs to be specified manually
|
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
| Name | Version |
|
| Name | Version |
|
||||||
@ -33,6 +26,7 @@ Subnet cidrs needs to be specified manually
|
|||||||
| Name | Source | Version |
|
| Name | Source | Version |
|
||||||
|------|--------|---------|
|
|------|--------|---------|
|
||||||
| private-route | ./modules/RouteTables | n/a |
|
| private-route | ./modules/RouteTables | n/a |
|
||||||
|
| private-route-multiaz | ./modules/RouteTables | n/a |
|
||||||
| vpc-ep | ../vpc-endpoints | n/a |
|
| vpc-ep | ../vpc-endpoints | n/a |
|
||||||
|
|
||||||
## Resources
|
## Resources
|
||||||
@ -42,12 +36,14 @@ Subnet cidrs needs to be specified manually
|
|||||||
| [aws_cloudwatch_log_group.vpcflowlog-loggroup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
|
| [aws_cloudwatch_log_group.vpcflowlog-loggroup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
|
||||||
| [aws_default_security_group.default-sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
|
| [aws_default_security_group.default-sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
|
||||||
| [aws_eip.ngw-eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
|
| [aws_eip.ngw-eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
|
||||||
|
| [aws_eip.ngw-eip-multiaz](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
|
||||||
| [aws_flow_log.vpc-flowlog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
|
| [aws_flow_log.vpc-flowlog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
|
||||||
| [aws_flow_log.vpc-flowlog-s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
|
| [aws_flow_log.vpc-flowlog-s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
|
||||||
| [aws_iam_role.vpcflowlog-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
|
| [aws_iam_role.vpcflowlog-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
|
||||||
| [aws_iam_role_policy.vpcflowlog-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
|
| [aws_iam_role_policy.vpcflowlog-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
|
||||||
| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
|
| [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
|
||||||
| [aws_nat_gateway.ngw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
|
| [aws_nat_gateway.ngw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
|
||||||
|
| [aws_nat_gateway.ngw-multiaz](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
|
||||||
| [aws_route.public-routes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
|
| [aws_route.public-routes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
|
||||||
| [aws_route_table.public-route-table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
|
| [aws_route_table.public-route-table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
|
||||||
| [aws_route_table_association.public_route_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
|
| [aws_route_table_association.public_route_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
|
||||||
@ -69,6 +65,7 @@ Subnet cidrs needs to be specified manually
|
|||||||
| enable-flow-log | n/a | `bool` | `true` | no |
|
| enable-flow-log | n/a | `bool` | `true` | no |
|
||||||
| flow-log-bucket-arn | Arn of S3 bucket to be used for flow logging | `string` | `null` | no |
|
| flow-log-bucket-arn | Arn of S3 bucket to be used for flow logging | `string` | `null` | no |
|
||||||
| flow-log-destination | Destination of flowlog. Valid destinations are s3 or cwlog | `string` | `null` | no |
|
| flow-log-destination | Destination of flowlog. Valid destinations are s3 or cwlog | `string` | `null` | no |
|
||||||
|
| multiaz-nat-gateway | Whether to deploy 1 NAT gateway for each AZ | `bool` | `false` | no |
|
||||||
| private-subnet-cidrs | Private subnet CIDRs | `list(string)` | `[]` | no |
|
| private-subnet-cidrs | Private subnet CIDRs | `list(string)` | `[]` | no |
|
||||||
| public-subnet-cidrs | Public subnet CIDRs | `list(string)` | `[]` | no |
|
| public-subnet-cidrs | Public subnet CIDRs | `list(string)` | `[]` | no |
|
||||||
| resource-prefix | Prefix of resource | `string` | n/a | yes |
|
| resource-prefix | Prefix of resource | `string` | n/a | yes |
|
||||||
@ -81,9 +78,12 @@ Subnet cidrs needs to be specified manually
|
|||||||
|
|
||||||
| Name | Description |
|
| Name | Description |
|
||||||
|------|-------------|
|
|------|-------------|
|
||||||
|
| azs | n/a |
|
||||||
|
| private-subnet-azs | n/a |
|
||||||
| private-subnet-ids | n/a |
|
| private-subnet-ids | n/a |
|
||||||
| private\_subnets | n/a |
|
| private\_subnets | n/a |
|
||||||
| public-route-table-id | n/a |
|
| public-route-table-id | n/a |
|
||||||
|
| public-subnet-azs | n/a |
|
||||||
| public-subnet-ids | n/a |
|
| public-subnet-ids | n/a |
|
||||||
| public\_subnets | n/a |
|
| public\_subnets | n/a |
|
||||||
| secondary\_cidr\_blocks | n/a |
|
| secondary\_cidr\_blocks | n/a |
|
||||||
|
@ -14,7 +14,7 @@ data "aws_default_tags" "this" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
no-az = 2 # hard-coding to 2AZ
|
# no-az = 2 # hard-coding to 2AZ
|
||||||
vpc-cidr = var.vpc-cidr
|
vpc-cidr = var.vpc-cidr
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -68,14 +68,13 @@ resource "aws_internet_gateway" "igw" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_eip" "ngw-eip" {
|
resource "aws_eip" "ngw-eip" {
|
||||||
count = var.create-nat-gateway ? 1 : 0
|
count = var.create-nat-gateway ? 1 : 0
|
||||||
# deprecated # vpc = true
|
|
||||||
domain = "vpc"
|
domain = "vpc"
|
||||||
depends_on = [aws_internet_gateway.igw]
|
depends_on = [aws_internet_gateway.igw]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_nat_gateway" "ngw" {
|
resource "aws_nat_gateway" "ngw" {
|
||||||
count = var.create-nat-gateway ? 1 : 0
|
count = var.create-nat-gateway && !var.multiaz-nat-gateway ? 1 : 0
|
||||||
allocation_id = aws_eip.ngw-eip[0].id
|
allocation_id = aws_eip.ngw-eip[0].id
|
||||||
subnet_id = aws_subnet.public-subnets[0].id
|
subnet_id = aws_subnet.public-subnets[0].id
|
||||||
|
|
||||||
@ -85,23 +84,50 @@ resource "aws_nat_gateway" "ngw" {
|
|||||||
depends_on = [aws_internet_gateway.igw]
|
depends_on = [aws_internet_gateway.igw]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
resource "aws_eip" "ngw-eip-multiaz" {
|
||||||
|
count = var.multiaz-nat-gateway ? length(distinct(aws_subnet.private-subnets.*.availability_zone)) : 0
|
||||||
|
domain = "vpc"
|
||||||
|
depends_on = [aws_internet_gateway.igw]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "aws_nat_gateway" "ngw-multiaz" {
|
||||||
|
count = var.multiaz-nat-gateway ? length(aws_eip.ngw-eip-multiaz) : 0
|
||||||
|
allocation_id = aws_eip.ngw-eip-multiaz[count.index].id
|
||||||
|
subnet_id = aws_subnet.public-subnets[count.index].id
|
||||||
|
tags = {
|
||||||
|
Name = "${var.resource-prefix}-ngw-${count.index + 1}"
|
||||||
|
}
|
||||||
|
depends_on = [aws_internet_gateway.igw]
|
||||||
|
}
|
||||||
|
|
||||||
resource "aws_route_table" "public-route-table" {
|
resource "aws_route_table" "public-route-table" {
|
||||||
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
|
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
|
||||||
vpc_id = aws_vpc.vpc.id
|
vpc_id = aws_vpc.vpc.id
|
||||||
tags = {
|
tags = {
|
||||||
Name = "${var.resource-prefix}-publicroutetable"
|
Name = "${var.resource-prefix}-public"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "private-route" {
|
module "private-route" {
|
||||||
source = "./modules/RouteTables"
|
source = "./modules/RouteTables"
|
||||||
count = var.create-nat-gateway ? length(aws_subnet.private-subnets) : 0
|
count = var.create-nat-gateway && !var.multiaz-nat-gateway ? length(aws_subnet.private-subnets) : 0
|
||||||
ngw-id = aws_nat_gateway.ngw[0].id
|
ngw-id = aws_nat_gateway.ngw[0].id
|
||||||
resource-prefix = var.resource-prefix
|
resource-prefix = var.resource-prefix
|
||||||
subnet-id = aws_subnet.private-subnets[count.index].id
|
subnet-id = aws_subnet.private-subnets[count.index].id
|
||||||
vpc-id = aws_vpc.vpc.id
|
vpc-id = aws_vpc.vpc.id
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "private-route-multiaz" {
|
||||||
|
source = "./modules/RouteTables"
|
||||||
|
count = var.multiaz-nat-gateway ? length(aws_subnet.private-subnets) : 0
|
||||||
|
ngw-id = aws_nat_gateway.ngw-multiaz[count.index].id
|
||||||
|
resource-prefix = var.resource-prefix
|
||||||
|
subnet-id = aws_subnet.private-subnets[count.index].id
|
||||||
|
vpc-id = aws_vpc.vpc.id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# resource "aws_route_table" "private-route-table" {
|
# resource "aws_route_table" "private-route-table" {
|
||||||
# count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
|
# count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
|
||||||
# vpc_id = aws_vpc.vpc.id
|
# vpc_id = aws_vpc.vpc.id
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
resource "aws_route_table" "this" {
|
resource "aws_route_table" "this" {
|
||||||
vpc_id = var.vpc-id
|
vpc_id = var.vpc-id
|
||||||
tags = {
|
tags = {
|
||||||
Name = "${var.resource-prefix}-privateroutetable"
|
Name = "${var.resource-prefix}-private"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,3 +37,15 @@ output "public-route-table-id" {
|
|||||||
output "secondary_cidr_blocks" {
|
output "secondary_cidr_blocks" {
|
||||||
value = var.secondary_cidr_blocks
|
value = var.secondary_cidr_blocks
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "public-subnet-azs" {
|
||||||
|
value = distinct(aws_subnet.public-subnets.*.availability_zone)
|
||||||
|
}
|
||||||
|
|
||||||
|
output "private-subnet-azs" {
|
||||||
|
value = distinct(aws_subnet.private-subnets.*.availability_zone)
|
||||||
|
}
|
||||||
|
|
||||||
|
output "azs" {
|
||||||
|
value = data.aws_availability_zones.available-az.names
|
||||||
|
}
|
@ -26,6 +26,12 @@ variable "create-nat-gateway" {
|
|||||||
default = false
|
default = false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "multiaz-nat-gateway" {
|
||||||
|
type = bool
|
||||||
|
description = "Whether to deploy 1 NAT gateway for each AZ"
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
variable "flow-log-destination" {
|
variable "flow-log-destination" {
|
||||||
type = string
|
type = string
|
||||||
description = "Destination of flowlog. Valid destinations are s3 or cwlog"
|
description = "Destination of flowlog. Valid destinations are s3 or cwlog"
|
||||||
|
Loading…
Reference in New Issue
Block a user