UPD: Added multiaz support to VpcSubnet module

modules/networking/VpcSubnet/README.md

@@ -7,13 +7,6 @@ This module performs the following tasks:
 - Create IGW, NGW
 - Create s3 and ddb endpoints which are free
 
-## Limitations
-- Only 1 NAT gateway is supported with this module. MultiAZ support is work in progress
-
-## Subnet addressing
-
-Subnet cidrs needs to be specified manually
-
 ## Requirements
 
 | Name | Version |
@@ -33,6 +26,7 @@ Subnet cidrs needs to be specified manually
 | Name | Source | Version |
 |------|--------|---------|
 | private-route | ./modules/RouteTables | n/a |
+| private-route-multiaz | ./modules/RouteTables | n/a |
 | vpc-ep | ../vpc-endpoints | n/a |
 
 ## Resources
@@ -42,12 +36,14 @@ Subnet cidrs needs to be specified manually
 | [aws_cloudwatch_log_group.vpcflowlog-loggroup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_default_security_group.default-sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_eip.ngw-eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
+| [aws_eip.ngw-eip-multiaz](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_flow_log.vpc-flowlog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
 | [aws_flow_log.vpc-flowlog-s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
 | [aws_iam_role.vpcflowlog-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.vpcflowlog-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_internet_gateway.igw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
 | [aws_nat_gateway.ngw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
+| [aws_nat_gateway.ngw-multiaz](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
 | [aws_route.public-routes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 | [aws_route_table.public-route-table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
 | [aws_route_table_association.public_route_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
@@ -69,6 +65,7 @@ Subnet cidrs needs to be specified manually
 | enable-flow-log | n/a | `bool` | `true` | no |
 | flow-log-bucket-arn | Arn of S3 bucket to be used for flow logging | `string` | `null` | no |
 | flow-log-destination | Destination of flowlog. Valid destinations are s3 or cwlog | `string` | `null` | no |
+| multiaz-nat-gateway | Whether to deploy 1 NAT gateway for each AZ | `bool` | `false` | no |
 | private-subnet-cidrs | Private subnet CIDRs | `list(string)` | `[]` | no |
 | public-subnet-cidrs | Public subnet CIDRs | `list(string)` | `[]` | no |
 | resource-prefix | Prefix of resource | `string` | n/a | yes |
@@ -81,9 +78,12 @@ Subnet cidrs needs to be specified manually
 
 | Name | Description |
 |------|-------------|
+| azs | n/a |
+| private-subnet-azs | n/a |
 | private-subnet-ids | n/a |
 | private\_subnets | n/a |
 | public-route-table-id | n/a |
+| public-subnet-azs | n/a |
 | public-subnet-ids | n/a |
 | public\_subnets | n/a |
 | secondary\_cidr\_blocks | n/a |

modules/networking/VpcSubnet/main.tf

@@ -14,7 +14,7 @@ data "aws_default_tags" "this" {
 }
 
 locals {
-  no-az    = 2 # hard-coding to 2AZ
+  # no-az    = 2 # hard-coding to 2AZ
   vpc-cidr = var.vpc-cidr
 }
 
@@ -68,14 +68,13 @@ resource "aws_internet_gateway" "igw" {
 }
 
 resource "aws_eip" "ngw-eip" {
-  count = var.create-nat-gateway ? 1 : 0
+  count      = var.create-nat-gateway ? 1 : 0
-  # deprecated # vpc = true
   domain     = "vpc"
   depends_on = [aws_internet_gateway.igw]
 }
 
 resource "aws_nat_gateway" "ngw" {
-  count         = var.create-nat-gateway ? 1 : 0
+  count         = var.create-nat-gateway && !var.multiaz-nat-gateway ? 1 : 0
   allocation_id = aws_eip.ngw-eip[0].id
   subnet_id     = aws_subnet.public-subnets[0].id
 
@@ -85,23 +84,50 @@ resource "aws_nat_gateway" "ngw" {
   depends_on = [aws_internet_gateway.igw]
 }
 
+resource "aws_eip" "ngw-eip-multiaz" {
+  count      = var.multiaz-nat-gateway ? length(distinct(aws_subnet.private-subnets.*.availability_zone)) : 0
+  domain     = "vpc"
+  depends_on = [aws_internet_gateway.igw]
+}
+
+resource "aws_nat_gateway" "ngw-multiaz" {
+  count         = var.multiaz-nat-gateway ? length(aws_eip.ngw-eip-multiaz) : 0
+  allocation_id = aws_eip.ngw-eip-multiaz[count.index].id
+  subnet_id     = aws_subnet.public-subnets[count.index].id
+  tags = {
+    Name = "${var.resource-prefix}-ngw-${count.index + 1}"
+  }
+  depends_on = [aws_internet_gateway.igw]
+}
+
 resource "aws_route_table" "public-route-table" {
   count  = length(var.public-subnet-cidrs) > 0 ? 1 : 0
   vpc_id = aws_vpc.vpc.id
   tags = {
-    Name = "${var.resource-prefix}-publicroutetable"
+    Name = "${var.resource-prefix}-public"
   }
 }
 
 module "private-route" {
   source          = "./modules/RouteTables"
-  count           = var.create-nat-gateway ? length(aws_subnet.private-subnets) : 0
+  count           = var.create-nat-gateway && !var.multiaz-nat-gateway ? length(aws_subnet.private-subnets) : 0
   ngw-id          = aws_nat_gateway.ngw[0].id
   resource-prefix = var.resource-prefix
   subnet-id       = aws_subnet.private-subnets[count.index].id
   vpc-id          = aws_vpc.vpc.id
 }
 
+module "private-route-multiaz" {
+  source          = "./modules/RouteTables"
+  count           = var.multiaz-nat-gateway ? length(aws_subnet.private-subnets) : 0
+  ngw-id          = aws_nat_gateway.ngw-multiaz[count.index].id
+  resource-prefix = var.resource-prefix
+  subnet-id       = aws_subnet.private-subnets[count.index].id
+  vpc-id          = aws_vpc.vpc.id
+}
+
+
+
 # resource "aws_route_table" "private-route-table" {
 #   count  = length(var.private-subnet-cidrs) > 0 ? 1 : 0
 #   vpc_id = aws_vpc.vpc.id

modules/networking/VpcSubnet/modules/RouteTables/main.tf

@@ -1,7 +1,7 @@
 resource "aws_route_table" "this" {
   vpc_id = var.vpc-id
   tags = {
-    Name = "${var.resource-prefix}-privateroutetable"
+    Name = "${var.resource-prefix}-private"
   }
 }
 

modules/networking/VpcSubnet/outputs.tf

@@ -36,4 +36,16 @@ output "public-route-table-id" {
 
 output "secondary_cidr_blocks" {
   value = var.secondary_cidr_blocks
+}
+
+output "public-subnet-azs" {
+  value = distinct(aws_subnet.public-subnets.*.availability_zone)
+}
+
+output "private-subnet-azs" {
+  value = distinct(aws_subnet.private-subnets.*.availability_zone)
+}
+
+output "azs" {
+  value = data.aws_availability_zones.available-az.names
 }

modules/networking/VpcSubnet/variables.tf

@@ -26,6 +26,12 @@ variable "create-nat-gateway" {
   default = false
 }
 
+variable "multiaz-nat-gateway" {
+  type        = bool
+  description = "Whether to deploy 1 NAT gateway for each AZ"
+  default     = false
+}
+
 variable "flow-log-destination" {
   type        = string
   description = "Destination of flowlog. Valid destinations are s3 or cwlog"