Home

Awesome

AWS VPC Terraform module

Terraform module which creates VPC resources on AWS.

SWUbanner

Usage

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform = "true"
    Environment = "dev"
  }
}

External NAT Gateway IPs

By default this module will provision new Elastic IPs for the VPC's NAT Gateways. This means that when creating a new VPC, new IPs are allocated, and when that VPC is destroyed those IPs are released. Sometimes it is handy to keep the same IPs even after the VPC is destroyed and re-created. To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.

To achieve this, allocate the IPs outside the VPC module declaration.

resource "aws_eip" "nat" {
  count = 3

  vpc = true
}

Then, pass the allocated IPs as a parameter to this module.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  # The rest of arguments are omitted for brevity

  enable_nat_gateway  = true
  single_nat_gateway  = false
  reuse_nat_ips       = true                    # <= Skip creation of EIPs for the NAT Gateways
  external_nat_ip_ids = "${aws_eip.nat.*.id}"   # <= IPs specified here as input to the module
}

Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to single_nat_gateway = false and having 3 subnets). If, on the other hand, single_nat_gateway = true, then aws_eip.nat would only need to allocate 1 IP. Passing the IPs into the module is done by setting two variables reuse_nat_ips = true and external_nat_ip_ids = "${aws_eip.nat.*.id}".

NAT Gateway Scenarios

This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.

If both single_nat_gateway and one_nat_gateway_per_az are set to true, then single_nat_gateway takes precedence.

One NAT Gateway per subnet (default)

By default, the module will determine the number of NAT Gateways to create based on the max() of the private subnet lists (database_subnets, elasticache_subnets, private_subnets, and redshift_subnets). The module does not take into account the number of intra_subnets, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:

database_subnets    = ["10.0.21.0/24", "10.0.22.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24"]
private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
redshift_subnets    = ["10.0.41.0/24", "10.0.42.0/24"]
intra_subnets       = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]

Then 5 NAT Gateways will be created since 5 private subnet CIDR blocks were specified.

Single NAT Gateway

If single_nat_gateway = true, then all private subnets will route their Internet traffic through this single NAT gateway. The NAT gateway will be placed in the first public subnet in your public_subnets block.

One NAT Gateway per availability zone

If one_nat_gateway_per_az = true and single_nat_gateway = false, then the module will place one NAT gateway in each availability zone you specify in var.azs. There are some requirements around using this feature flag:

"private" versus "intra" subnets

By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.

If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets), intra_subnets should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.

Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received (read more), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.

You can add additional tags with intra_subnet_tags as with other subnet types.

VPC Flow Log

VPC Flow Log allows to capture IP traffic for a specific network interface (ENI), subnet, or entire VPC. This module supports enabling or disabling VPC Flow Logs for entire VPC. If you need to have VPC Flow Logs for subnet or ENI, you have to manage it outside of this module with aws_flow_log resource.

VPC Flow Log Examples

By default file_format is plain-text. You can also specify parquet to have logs written in Apache Parquet format.

flow_log_file_format = "parquet"

Permissions Boundary

If your organization requires a permissions boundary to be attached to the VPC Flow Log role, make sure that you specify an ARN of the permissions boundary policy as vpc_flow_log_permissions_boundary argument. Read more about required IAM policy for publishing flow logs.

Conditional creation

Prior to Terraform 0.13, you were unable to specify count in a module block. If you wish to toggle the creation of the module's resources in an older (pre 0.13) version of Terraform, you can use the create_vpc argument.

# This VPC will not be created
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  create_vpc = false
  # ... omitted
}

Public access to RDS instances

Sometimes it is handy to have public access to RDS instances (it is not recommended for production) by specifying these arguments:

  create_database_subnet_group           = true
  create_database_subnet_route_table     = true
  create_database_internet_gateway_route = true

  enable_dns_hostnames = true
  enable_dns_support   = true

Network Access Control Lists (ACL or NACL)

This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (manage_default_network_acl = true).

Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set public_dedicated_network_acl = true to use dedicated network ACL for the public subnets; set values of public_inbound_acl_rules and public_outbound_acl_rules to specify all the NACL rules you need to have on public subnets (see variables.tf for default values and structures).

By default, all subnets are associated with the default network ACL.

Public access to Redshift cluster

Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments:

  enable_public_redshift = true  # <= By default Redshift subnets will be associated with the private route table

Transit Gateway (TGW) integration

It is possible to integrate this VPC module with terraform-aws-transit-gateway module which handles the creation of TGW resources and VPC attachments. See complete example there.

VPC CIDR from AWS IP Address Manager (IPAM)

It is possible to have your VPC CIDR assigned from an AWS IPAM Pool. However, In order to build subnets within this module Terraform must know subnet CIDRs to properly plan the amount of resources to build. Since CIDR is derived by IPAM by calling CreateVpc this is not possible within a module unless cidr is known ahead of time. You can get around this by "previewing" the CIDR and then using that as the subnet values.

Note: Due to race conditions with terraform plan, it is not possible to use ipv4_netmask_length or a pools allocation_default_netmask_length within this module. You must explicitly set the CIDRs for a pool to use.

# Find the pool RAM shared to your account
# Info on RAM sharing pools: https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html
data "aws_vpc_ipam_pool" "ipv4_example" {
  filter {
    name   = "description"
    values = ["*mypool*"]
  }

  filter {
    name   = "address-family"
    values = ["ipv4"]
  }
}

# Preview next CIDR from pool
data "aws_vpc_ipam_preview_next_cidr" "previewed_cidr" {
  ipam_pool_id   = data.aws_vpc_ipam_pool.ipv4_example.id
  netmask_length = 24
}

data "aws_region" "current" {}

# Calculate subnet cidrs from previewed IPAM CIDR
locals {
  partition       = cidrsubnets(data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr, 2, 2)
  private_subnets = cidrsubnets(local.partition[0], 2, 2)
  public_subnets  = cidrsubnets(local.partition[1], 2, 2)
  azs             = formatlist("${data.aws_region.current.name}%s", ["a", "b"])
}

module "vpc_cidr_from_ipam" {
  source            = "terraform-aws-modules/vpc/aws"
  name              = "vpc-cidr-from-ipam"
  ipv4_ipam_pool_id = data.aws_vpc_ipam_pool.ipv4_example.id
  azs               = local.azs
  cidr              = data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr
  private_subnets   = local.private_subnets
  public_subnets    = local.public_subnets
}

Examples

Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 5.46

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.46

Modules

No modules.

Resources

NameType
aws_cloudwatch_log_group.flow_logresource
aws_customer_gateway.thisresource
aws_db_subnet_group.databaseresource
aws_default_network_acl.thisresource
aws_default_route_table.defaultresource
aws_default_security_group.thisresource
aws_default_vpc.thisresource
aws_egress_only_internet_gateway.thisresource
aws_eip.natresource
aws_elasticache_subnet_group.elasticacheresource
aws_flow_log.thisresource
aws_iam_policy.vpc_flow_log_cloudwatchresource
aws_iam_role.vpc_flow_log_cloudwatchresource
aws_iam_role_policy_attachment.vpc_flow_log_cloudwatchresource
aws_internet_gateway.thisresource
aws_nat_gateway.thisresource
aws_network_acl.databaseresource
aws_network_acl.elasticacheresource
aws_network_acl.intraresource
aws_network_acl.outpostresource
aws_network_acl.privateresource
aws_network_acl.publicresource
aws_network_acl.redshiftresource
aws_network_acl_rule.database_inboundresource
aws_network_acl_rule.database_outboundresource
aws_network_acl_rule.elasticache_inboundresource
aws_network_acl_rule.elasticache_outboundresource
aws_network_acl_rule.intra_inboundresource
aws_network_acl_rule.intra_outboundresource
aws_network_acl_rule.outpost_inboundresource
aws_network_acl_rule.outpost_outboundresource
aws_network_acl_rule.private_inboundresource
aws_network_acl_rule.private_outboundresource
aws_network_acl_rule.public_inboundresource
aws_network_acl_rule.public_outboundresource
aws_network_acl_rule.redshift_inboundresource
aws_network_acl_rule.redshift_outboundresource
aws_redshift_subnet_group.redshiftresource
aws_route.database_dns64_nat_gatewayresource
aws_route.database_internet_gatewayresource
aws_route.database_ipv6_egressresource
aws_route.database_nat_gatewayresource
aws_route.private_dns64_nat_gatewayresource
aws_route.private_ipv6_egressresource
aws_route.private_nat_gatewayresource
aws_route.public_internet_gatewayresource
aws_route.public_internet_gateway_ipv6resource
aws_route_table.databaseresource
aws_route_table.elasticacheresource
aws_route_table.intraresource
aws_route_table.privateresource
aws_route_table.publicresource
aws_route_table.redshiftresource
aws_route_table_association.databaseresource
aws_route_table_association.elasticacheresource
aws_route_table_association.intraresource
aws_route_table_association.outpostresource
aws_route_table_association.privateresource
aws_route_table_association.publicresource
aws_route_table_association.redshiftresource
aws_route_table_association.redshift_publicresource
aws_subnet.databaseresource
aws_subnet.elasticacheresource
aws_subnet.intraresource
aws_subnet.outpostresource
aws_subnet.privateresource
aws_subnet.publicresource
aws_subnet.redshiftresource
aws_vpc.thisresource
aws_vpc_dhcp_options.thisresource
aws_vpc_dhcp_options_association.thisresource
aws_vpc_ipv4_cidr_block_association.thisresource
aws_vpn_gateway.thisresource
aws_vpn_gateway_attachment.thisresource
aws_vpn_gateway_route_propagation.intraresource
aws_vpn_gateway_route_propagation.privateresource
aws_vpn_gateway_route_propagation.publicresource
aws_caller_identity.currentdata source
aws_iam_policy_document.flow_log_cloudwatch_assume_roledata source
aws_iam_policy_document.vpc_flow_log_cloudwatchdata source
aws_partition.currentdata source
aws_region.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_amazon_side_asn"></a> amazon_side_asnThe Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASNstring"64512"no
<a name="input_azs"></a> azsA list of availability zones names or ids in the regionlist(string)[]no
<a name="input_cidr"></a> cidr(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length & ipv4_ipam_pool_idstring"10.0.0.0/16"no
<a name="input_create_database_internet_gateway_route"></a> create_database_internet_gateway_routeControls if an internet gateway route for public database access should be createdboolfalseno
<a name="input_create_database_nat_gateway_route"></a> create_database_nat_gateway_routeControls if a nat gateway route should be created to give internet access to the database subnetsboolfalseno
<a name="input_create_database_subnet_group"></a> create_database_subnet_groupControls if database subnet group should be created (n.b. database_subnets must also be set)booltrueno
<a name="input_create_database_subnet_route_table"></a> create_database_subnet_route_tableControls if separate route table for database should be createdboolfalseno
<a name="input_create_egress_only_igw"></a> create_egress_only_igwControls if an Egress Only Internet Gateway is created and its related routesbooltrueno
<a name="input_create_elasticache_subnet_group"></a> create_elasticache_subnet_groupControls if elasticache subnet group should be createdbooltrueno
<a name="input_create_elasticache_subnet_route_table"></a> create_elasticache_subnet_route_tableControls if separate route table for elasticache should be createdboolfalseno
<a name="input_create_flow_log_cloudwatch_iam_role"></a> create_flow_log_cloudwatch_iam_roleWhether to create IAM role for VPC Flow Logsboolfalseno
<a name="input_create_flow_log_cloudwatch_log_group"></a> create_flow_log_cloudwatch_log_groupWhether to create CloudWatch log group for VPC Flow Logsboolfalseno
<a name="input_create_igw"></a> create_igwControls if an Internet Gateway is created for public subnets and the related routes that connect thembooltrueno
<a name="input_create_multiple_intra_route_tables"></a> create_multiple_intra_route_tablesIndicates whether to create a separate route table for each intra subnet. Default: falseboolfalseno
<a name="input_create_multiple_public_route_tables"></a> create_multiple_public_route_tablesIndicates whether to create a separate route table for each public subnet. Default: falseboolfalseno
<a name="input_create_private_nat_gateway_route"></a> create_private_nat_gateway_routeControls if a nat gateway route should be created to give internet access to the private subnetsbooltrueno
<a name="input_create_redshift_subnet_group"></a> create_redshift_subnet_groupControls if redshift subnet group should be createdbooltrueno
<a name="input_create_redshift_subnet_route_table"></a> create_redshift_subnet_route_tableControls if separate route table for redshift should be createdboolfalseno
<a name="input_create_vpc"></a> create_vpcControls if VPC should be created (it affects almost all resources)booltrueno
<a name="input_customer_gateway_tags"></a> customer_gateway_tagsAdditional tags for the Customer Gatewaymap(string){}no
<a name="input_customer_gateways"></a> customer_gatewaysMaps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address)map(map(any)){}no
<a name="input_customer_owned_ipv4_pool"></a> customer_owned_ipv4_poolThe customer owned IPv4 address pool. Typically used with the map_customer_owned_ip_on_launch argument. The outpost_arn argument must be specified when configuredstringnullno
<a name="input_database_acl_tags"></a> database_acl_tagsAdditional tags for the database subnets network ACLmap(string){}no
<a name="input_database_dedicated_network_acl"></a> database_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for database subnetsboolfalseno
<a name="input_database_inbound_acl_rules"></a> database_inbound_acl_rulesDatabase subnets inbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_database_outbound_acl_rules"></a> database_outbound_acl_rulesDatabase subnets outbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_database_route_table_tags"></a> database_route_table_tagsAdditional tags for the database route tablesmap(string){}no
<a name="input_database_subnet_assign_ipv6_address_on_creation"></a> database_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_database_subnet_enable_dns64"></a> database_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_database_subnet_enable_resource_name_dns_a_record_on_launch"></a> database_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_database_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> database_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_database_subnet_group_name"></a> database_subnet_group_nameName of database subnet groupstringnullno
<a name="input_database_subnet_group_tags"></a> database_subnet_group_tagsAdditional tags for the database subnet groupmap(string){}no
<a name="input_database_subnet_ipv6_native"></a> database_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_database_subnet_ipv6_prefixes"></a> database_subnet_ipv6_prefixesAssigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_database_subnet_names"></a> database_subnet_namesExplicit values to use in the Name tag on database subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_database_subnet_private_dns_hostname_type_on_launch"></a> database_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_database_subnet_suffix"></a> database_subnet_suffixSuffix to append to database subnets namestring"db"no
<a name="input_database_subnet_tags"></a> database_subnet_tagsAdditional tags for the database subnetsmap(string){}no
<a name="input_database_subnets"></a> database_subnetsA list of database subnets inside the VPClist(string)[]no
<a name="input_default_network_acl_egress"></a> default_network_acl_egressList of maps of egress rules to set on the Default Network ACLlist(map(string))<pre>[<br/> {<br/> "action": "allow",<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_no": 100,<br/> "to_port": 0<br/> },<br/> {<br/> "action": "allow",<br/> "from_port": 0,<br/> "ipv6_cidr_block": "::/0",<br/> "protocol": "-1",<br/> "rule_no": 101,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_default_network_acl_ingress"></a> default_network_acl_ingressList of maps of ingress rules to set on the Default Network ACLlist(map(string))<pre>[<br/> {<br/> "action": "allow",<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_no": 100,<br/> "to_port": 0<br/> },<br/> {<br/> "action": "allow",<br/> "from_port": 0,<br/> "ipv6_cidr_block": "::/0",<br/> "protocol": "-1",<br/> "rule_no": 101,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_default_network_acl_name"></a> default_network_acl_nameName to be used on the Default Network ACLstringnullno
<a name="input_default_network_acl_tags"></a> default_network_acl_tagsAdditional tags for the Default Network ACLmap(string){}no
<a name="input_default_route_table_name"></a> default_route_table_nameName to be used on the default route tablestringnullno
<a name="input_default_route_table_propagating_vgws"></a> default_route_table_propagating_vgwsList of virtual gateways for propagationlist(string)[]no
<a name="input_default_route_table_routes"></a> default_route_table_routesConfiguration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#routelist(map(string))[]no
<a name="input_default_route_table_tags"></a> default_route_table_tagsAdditional tags for the default route tablemap(string){}no
<a name="input_default_security_group_egress"></a> default_security_group_egressList of maps of egress rules to set on the default security grouplist(map(string))[]no
<a name="input_default_security_group_ingress"></a> default_security_group_ingressList of maps of ingress rules to set on the default security grouplist(map(string))[]no
<a name="input_default_security_group_name"></a> default_security_group_nameName to be used on the default security groupstringnullno
<a name="input_default_security_group_tags"></a> default_security_group_tagsAdditional tags for the default security groupmap(string){}no
<a name="input_default_vpc_enable_dns_hostnames"></a> default_vpc_enable_dns_hostnamesShould be true to enable DNS hostnames in the Default VPCbooltrueno
<a name="input_default_vpc_enable_dns_support"></a> default_vpc_enable_dns_supportShould be true to enable DNS support in the Default VPCbooltrueno
<a name="input_default_vpc_name"></a> default_vpc_nameName to be used on the Default VPCstringnullno
<a name="input_default_vpc_tags"></a> default_vpc_tagsAdditional tags for the Default VPCmap(string){}no
<a name="input_dhcp_options_domain_name"></a> dhcp_options_domain_nameSpecifies DNS name for DHCP options set (requires enable_dhcp_options set to true)string""no
<a name="input_dhcp_options_domain_name_servers"></a> dhcp_options_domain_name_serversSpecify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)list(string)<pre>[<br/> "AmazonProvidedDNS"<br/>]</pre>no
<a name="input_dhcp_options_ipv6_address_preferred_lease_time"></a> dhcp_options_ipv6_address_preferred_lease_timeHow frequently, in seconds, a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal (requires enable_dhcp_options set to true)numbernullno
<a name="input_dhcp_options_netbios_name_servers"></a> dhcp_options_netbios_name_serversSpecify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)list(string)[]no
<a name="input_dhcp_options_netbios_node_type"></a> dhcp_options_netbios_node_typeSpecify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)string""no
<a name="input_dhcp_options_ntp_servers"></a> dhcp_options_ntp_serversSpecify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)list(string)[]no
<a name="input_dhcp_options_tags"></a> dhcp_options_tagsAdditional tags for the DHCP option set (requires enable_dhcp_options set to true)map(string){}no
<a name="input_elasticache_acl_tags"></a> elasticache_acl_tagsAdditional tags for the elasticache subnets network ACLmap(string){}no
<a name="input_elasticache_dedicated_network_acl"></a> elasticache_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for elasticache subnetsboolfalseno
<a name="input_elasticache_inbound_acl_rules"></a> elasticache_inbound_acl_rulesElasticache subnets inbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_elasticache_outbound_acl_rules"></a> elasticache_outbound_acl_rulesElasticache subnets outbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_elasticache_route_table_tags"></a> elasticache_route_table_tagsAdditional tags for the elasticache route tablesmap(string){}no
<a name="input_elasticache_subnet_assign_ipv6_address_on_creation"></a> elasticache_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_elasticache_subnet_enable_dns64"></a> elasticache_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_elasticache_subnet_enable_resource_name_dns_a_record_on_launch"></a> elasticache_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_elasticache_subnet_group_name"></a> elasticache_subnet_group_nameName of elasticache subnet groupstringnullno
<a name="input_elasticache_subnet_group_tags"></a> elasticache_subnet_group_tagsAdditional tags for the elasticache subnet groupmap(string){}no
<a name="input_elasticache_subnet_ipv6_native"></a> elasticache_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_elasticache_subnet_ipv6_prefixes"></a> elasticache_subnet_ipv6_prefixesAssigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_elasticache_subnet_names"></a> elasticache_subnet_namesExplicit values to use in the Name tag on elasticache subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_elasticache_subnet_private_dns_hostname_type_on_launch"></a> elasticache_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_elasticache_subnet_suffix"></a> elasticache_subnet_suffixSuffix to append to elasticache subnets namestring"elasticache"no
<a name="input_elasticache_subnet_tags"></a> elasticache_subnet_tagsAdditional tags for the elasticache subnetsmap(string){}no
<a name="input_elasticache_subnets"></a> elasticache_subnetsA list of elasticache subnets inside the VPClist(string)[]no
<a name="input_enable_dhcp_options"></a> enable_dhcp_optionsShould be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server typeboolfalseno
<a name="input_enable_dns_hostnames"></a> enable_dns_hostnamesShould be true to enable DNS hostnames in the VPCbooltrueno
<a name="input_enable_dns_support"></a> enable_dns_supportShould be true to enable DNS support in the VPCbooltrueno
<a name="input_enable_flow_log"></a> enable_flow_logWhether or not to enable VPC Flow Logsboolfalseno
<a name="input_enable_ipv6"></a> enable_ipv6Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR blockboolfalseno
<a name="input_enable_nat_gateway"></a> enable_nat_gatewayShould be true if you want to provision NAT Gateways for each of your private networksboolfalseno
<a name="input_enable_network_address_usage_metrics"></a> enable_network_address_usage_metricsDetermines whether network address usage metrics are enabled for the VPCboolnullno
<a name="input_enable_public_redshift"></a> enable_public_redshiftControls if redshift should have public routing tableboolfalseno
<a name="input_enable_vpn_gateway"></a> enable_vpn_gatewayShould be true if you want to create a new VPN Gateway resource and attach it to the VPCboolfalseno
<a name="input_external_nat_ip_ids"></a> external_nat_ip_idsList of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)list(string)[]no
<a name="input_external_nat_ips"></a> external_nat_ipsList of EIPs to be used for nat_public_ips output (used in combination with reuse_nat_ips and external_nat_ip_ids)list(string)[]no
<a name="input_flow_log_cloudwatch_iam_role_arn"></a> flow_log_cloudwatch_iam_role_arnThe ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be providedstring""no
<a name="input_flow_log_cloudwatch_iam_role_conditions"></a> flow_log_cloudwatch_iam_role_conditionsAdditional conditions of the CloudWatch role assumption policy<pre>list(object({<br/> test = string<br/> variable = string<br/> values = list(string)<br/> }))</pre>[]no
<a name="input_flow_log_cloudwatch_log_group_class"></a> flow_log_cloudwatch_log_group_classSpecified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESSstringnullno
<a name="input_flow_log_cloudwatch_log_group_kms_key_id"></a> flow_log_cloudwatch_log_group_kms_key_idThe ARN of the KMS Key to use when encrypting log data for VPC flow logsstringnullno
<a name="input_flow_log_cloudwatch_log_group_name_prefix"></a> flow_log_cloudwatch_log_group_name_prefixSpecifies the name prefix of CloudWatch Log Group for VPC flow logsstring"/aws/vpc-flow-log/"no
<a name="input_flow_log_cloudwatch_log_group_name_suffix"></a> flow_log_cloudwatch_log_group_name_suffixSpecifies the name suffix of CloudWatch Log Group for VPC flow logsstring""no
<a name="input_flow_log_cloudwatch_log_group_retention_in_days"></a> flow_log_cloudwatch_log_group_retention_in_daysSpecifies the number of days you want to retain log events in the specified log group for VPC flow logsnumbernullno
<a name="input_flow_log_cloudwatch_log_group_skip_destroy"></a> flow_log_cloudwatch_log_group_skip_destroySet to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform stateboolfalseno
<a name="input_flow_log_deliver_cross_account_role"></a> flow_log_deliver_cross_account_role(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts.stringnullno
<a name="input_flow_log_destination_arn"></a> flow_log_destination_arnThe ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be providedstring""no
<a name="input_flow_log_destination_type"></a> flow_log_destination_typeType of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logsstring"cloud-watch-logs"no
<a name="input_flow_log_file_format"></a> flow_log_file_format(Optional) The format for the flow log. Valid values: plain-text, parquetstringnullno
<a name="input_flow_log_hive_compatible_partitions"></a> flow_log_hive_compatible_partitions(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3boolfalseno
<a name="input_flow_log_log_format"></a> flow_log_log_formatThe fields to include in the flow log record, in the order in which they should appearstringnullno
<a name="input_flow_log_max_aggregation_interval"></a> flow_log_max_aggregation_intervalThe maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 secondsnumber600no
<a name="input_flow_log_per_hour_partition"></a> flow_log_per_hour_partition(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queriesboolfalseno
<a name="input_flow_log_traffic_type"></a> flow_log_traffic_typeThe type of traffic to capture. Valid values: ACCEPT, REJECT, ALLstring"ALL"no
<a name="input_igw_tags"></a> igw_tagsAdditional tags for the internet gatewaymap(string){}no
<a name="input_instance_tenancy"></a> instance_tenancyA tenancy option for instances launched into the VPCstring"default"no
<a name="input_intra_acl_tags"></a> intra_acl_tagsAdditional tags for the intra subnets network ACLmap(string){}no
<a name="input_intra_dedicated_network_acl"></a> intra_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for intra subnetsboolfalseno
<a name="input_intra_inbound_acl_rules"></a> intra_inbound_acl_rulesIntra subnets inbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_intra_outbound_acl_rules"></a> intra_outbound_acl_rulesIntra subnets outbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_intra_route_table_tags"></a> intra_route_table_tagsAdditional tags for the intra route tablesmap(string){}no
<a name="input_intra_subnet_assign_ipv6_address_on_creation"></a> intra_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_intra_subnet_enable_dns64"></a> intra_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_intra_subnet_enable_resource_name_dns_a_record_on_launch"></a> intra_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_intra_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> intra_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_intra_subnet_ipv6_native"></a> intra_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_intra_subnet_ipv6_prefixes"></a> intra_subnet_ipv6_prefixesAssigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_intra_subnet_names"></a> intra_subnet_namesExplicit values to use in the Name tag on intra subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_intra_subnet_private_dns_hostname_type_on_launch"></a> intra_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_intra_subnet_suffix"></a> intra_subnet_suffixSuffix to append to intra subnets namestring"intra"no
<a name="input_intra_subnet_tags"></a> intra_subnet_tagsAdditional tags for the intra subnetsmap(string){}no
<a name="input_intra_subnets"></a> intra_subnetsA list of intra subnets inside the VPClist(string)[]no
<a name="input_ipv4_ipam_pool_id"></a> ipv4_ipam_pool_id(Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDRstringnullno
<a name="input_ipv4_netmask_length"></a> ipv4_netmask_length(Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_idnumbernullno
<a name="input_ipv6_cidr"></a> ipv6_cidr(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using ipv6_netmask_lengthstringnullno
<a name="input_ipv6_cidr_block_network_border_group"></a> ipv6_cidr_block_network_border_groupBy default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZonesstringnullno
<a name="input_ipv6_ipam_pool_id"></a> ipv6_ipam_pool_id(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with assign_generated_ipv6_cidr_blockstringnullno
<a name="input_ipv6_netmask_length"></a> ipv6_netmask_length(Optional) Netmask length to request from IPAM Pool. Conflicts with ipv6_cidr_block. This can be omitted if IPAM pool as a allocation_default_netmask_length set. Valid values: 56numbernullno
<a name="input_manage_default_network_acl"></a> manage_default_network_aclShould be true to adopt and manage Default Network ACLbooltrueno
<a name="input_manage_default_route_table"></a> manage_default_route_tableShould be true to manage default route tablebooltrueno
<a name="input_manage_default_security_group"></a> manage_default_security_groupShould be true to adopt and manage default security groupbooltrueno
<a name="input_manage_default_vpc"></a> manage_default_vpcShould be true to adopt and manage Default VPCboolfalseno
<a name="input_map_customer_owned_ip_on_launch"></a> map_customer_owned_ip_on_launchSpecify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The customer_owned_ipv4_pool and outpost_arn arguments must be specified when set to true. Default is falseboolfalseno
<a name="input_map_public_ip_on_launch"></a> map_public_ip_on_launchSpecify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is falseboolfalseno
<a name="input_name"></a> nameName to be used on all the resources as identifierstring""no
<a name="input_nat_eip_tags"></a> nat_eip_tagsAdditional tags for the NAT EIPmap(string){}no
<a name="input_nat_gateway_destination_cidr_block"></a> nat_gateway_destination_cidr_blockUsed to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination routestring"0.0.0.0/0"no
<a name="input_nat_gateway_tags"></a> nat_gateway_tagsAdditional tags for the NAT gatewaysmap(string){}no
<a name="input_one_nat_gateway_per_az"></a> one_nat_gateway_per_azShould be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azsboolfalseno
<a name="input_outpost_acl_tags"></a> outpost_acl_tagsAdditional tags for the outpost subnets network ACLmap(string){}no
<a name="input_outpost_arn"></a> outpost_arnARN of Outpost you want to create a subnet instringnullno
<a name="input_outpost_az"></a> outpost_azAZ where Outpost is anchoredstringnullno
<a name="input_outpost_dedicated_network_acl"></a> outpost_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for outpost subnetsboolfalseno
<a name="input_outpost_inbound_acl_rules"></a> outpost_inbound_acl_rulesOutpost subnets inbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_outpost_outbound_acl_rules"></a> outpost_outbound_acl_rulesOutpost subnets outbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_outpost_subnet_assign_ipv6_address_on_creation"></a> outpost_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_outpost_subnet_enable_dns64"></a> outpost_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_outpost_subnet_enable_resource_name_dns_a_record_on_launch"></a> outpost_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_outpost_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> outpost_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_outpost_subnet_ipv6_native"></a> outpost_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_outpost_subnet_ipv6_prefixes"></a> outpost_subnet_ipv6_prefixesAssigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_outpost_subnet_names"></a> outpost_subnet_namesExplicit values to use in the Name tag on outpost subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_outpost_subnet_private_dns_hostname_type_on_launch"></a> outpost_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_outpost_subnet_suffix"></a> outpost_subnet_suffixSuffix to append to outpost subnets namestring"outpost"no
<a name="input_outpost_subnet_tags"></a> outpost_subnet_tagsAdditional tags for the outpost subnetsmap(string){}no
<a name="input_outpost_subnets"></a> outpost_subnetsA list of outpost subnets inside the VPClist(string)[]no
<a name="input_private_acl_tags"></a> private_acl_tagsAdditional tags for the private subnets network ACLmap(string){}no
<a name="input_private_dedicated_network_acl"></a> private_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for private subnetsboolfalseno
<a name="input_private_inbound_acl_rules"></a> private_inbound_acl_rulesPrivate subnets inbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_private_outbound_acl_rules"></a> private_outbound_acl_rulesPrivate subnets outbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_private_route_table_tags"></a> private_route_table_tagsAdditional tags for the private route tablesmap(string){}no
<a name="input_private_subnet_assign_ipv6_address_on_creation"></a> private_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_private_subnet_enable_dns64"></a> private_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_private_subnet_enable_resource_name_dns_a_record_on_launch"></a> private_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_private_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> private_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_private_subnet_ipv6_native"></a> private_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_private_subnet_ipv6_prefixes"></a> private_subnet_ipv6_prefixesAssigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_private_subnet_names"></a> private_subnet_namesExplicit values to use in the Name tag on private subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_private_subnet_private_dns_hostname_type_on_launch"></a> private_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_private_subnet_suffix"></a> private_subnet_suffixSuffix to append to private subnets namestring"private"no
<a name="input_private_subnet_tags"></a> private_subnet_tagsAdditional tags for the private subnetsmap(string){}no
<a name="input_private_subnet_tags_per_az"></a> private_subnet_tags_per_azAdditional tags for the private subnets where the primary key is the AZmap(map(string)){}no
<a name="input_private_subnets"></a> private_subnetsA list of private subnets inside the VPClist(string)[]no
<a name="input_propagate_intra_route_tables_vgw"></a> propagate_intra_route_tables_vgwShould be true if you want route table propagationboolfalseno
<a name="input_propagate_private_route_tables_vgw"></a> propagate_private_route_tables_vgwShould be true if you want route table propagationboolfalseno
<a name="input_propagate_public_route_tables_vgw"></a> propagate_public_route_tables_vgwShould be true if you want route table propagationboolfalseno
<a name="input_public_acl_tags"></a> public_acl_tagsAdditional tags for the public subnets network ACLmap(string){}no
<a name="input_public_dedicated_network_acl"></a> public_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for public subnetsboolfalseno
<a name="input_public_inbound_acl_rules"></a> public_inbound_acl_rulesPublic subnets inbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_public_outbound_acl_rules"></a> public_outbound_acl_rulesPublic subnets outbound network ACLslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_public_route_table_tags"></a> public_route_table_tagsAdditional tags for the public route tablesmap(string){}no
<a name="input_public_subnet_assign_ipv6_address_on_creation"></a> public_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_public_subnet_enable_dns64"></a> public_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_public_subnet_enable_resource_name_dns_a_record_on_launch"></a> public_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_public_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> public_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_public_subnet_ipv6_native"></a> public_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_public_subnet_ipv6_prefixes"></a> public_subnet_ipv6_prefixesAssigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_public_subnet_names"></a> public_subnet_namesExplicit values to use in the Name tag on public subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_public_subnet_private_dns_hostname_type_on_launch"></a> public_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_public_subnet_suffix"></a> public_subnet_suffixSuffix to append to public subnets namestring"public"no
<a name="input_public_subnet_tags"></a> public_subnet_tagsAdditional tags for the public subnetsmap(string){}no
<a name="input_public_subnet_tags_per_az"></a> public_subnet_tags_per_azAdditional tags for the public subnets where the primary key is the AZmap(map(string)){}no
<a name="input_public_subnets"></a> public_subnetsA list of public subnets inside the VPClist(string)[]no
<a name="input_putin_khuylo"></a> putin_khuyloDo you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!booltrueno
<a name="input_redshift_acl_tags"></a> redshift_acl_tagsAdditional tags for the redshift subnets network ACLmap(string){}no
<a name="input_redshift_dedicated_network_acl"></a> redshift_dedicated_network_aclWhether to use dedicated network ACL (not default) and custom rules for redshift subnetsboolfalseno
<a name="input_redshift_inbound_acl_rules"></a> redshift_inbound_acl_rulesRedshift subnets inbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_redshift_outbound_acl_rules"></a> redshift_outbound_acl_rulesRedshift subnets outbound network ACL ruleslist(map(string))<pre>[<br/> {<br/> "cidr_block": "0.0.0.0/0",<br/> "from_port": 0,<br/> "protocol": "-1",<br/> "rule_action": "allow",<br/> "rule_number": 100,<br/> "to_port": 0<br/> }<br/>]</pre>no
<a name="input_redshift_route_table_tags"></a> redshift_route_table_tagsAdditional tags for the redshift route tablesmap(string){}no
<a name="input_redshift_subnet_assign_ipv6_address_on_creation"></a> redshift_subnet_assign_ipv6_address_on_creationSpecify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is falseboolfalseno
<a name="input_redshift_subnet_enable_dns64"></a> redshift_subnet_enable_dns64Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: truebooltrueno
<a name="input_redshift_subnet_enable_resource_name_dns_a_record_on_launch"></a> redshift_subnet_enable_resource_name_dns_a_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: falseboolfalseno
<a name="input_redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch"></a> redshift_subnet_enable_resource_name_dns_aaaa_record_on_launchIndicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: truebooltrueno
<a name="input_redshift_subnet_group_name"></a> redshift_subnet_group_nameName of redshift subnet groupstringnullno
<a name="input_redshift_subnet_group_tags"></a> redshift_subnet_group_tagsAdditional tags for the redshift subnet groupmap(string){}no
<a name="input_redshift_subnet_ipv6_native"></a> redshift_subnet_ipv6_nativeIndicates whether to create an IPv6-only subnet. Default: falseboolfalseno
<a name="input_redshift_subnet_ipv6_prefixes"></a> redshift_subnet_ipv6_prefixesAssigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet listlist(string)[]no
<a name="input_redshift_subnet_names"></a> redshift_subnet_namesExplicit values to use in the Name tag on redshift subnets. If empty, Name tags are generatedlist(string)[]no
<a name="input_redshift_subnet_private_dns_hostname_type_on_launch"></a> redshift_subnet_private_dns_hostname_type_on_launchThe type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-namestringnullno
<a name="input_redshift_subnet_suffix"></a> redshift_subnet_suffixSuffix to append to redshift subnets namestring"redshift"no
<a name="input_redshift_subnet_tags"></a> redshift_subnet_tagsAdditional tags for the redshift subnetsmap(string){}no
<a name="input_redshift_subnets"></a> redshift_subnetsA list of redshift subnets inside the VPClist(string)[]no
<a name="input_reuse_nat_ips"></a> reuse_nat_ipsShould be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variableboolfalseno
<a name="input_secondary_cidr_blocks"></a> secondary_cidr_blocksList of secondary CIDR blocks to associate with the VPC to extend the IP Address poollist(string)[]no
<a name="input_single_nat_gateway"></a> single_nat_gatewayShould be true if you want to provision a single shared NAT Gateway across all of your private networksboolfalseno
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_use_ipam_pool"></a> use_ipam_poolDetermines whether IPAM pool is used for CIDR allocationboolfalseno
<a name="input_vpc_flow_log_iam_policy_name"></a> vpc_flow_log_iam_policy_nameName of the IAM policystring"vpc-flow-log-to-cloudwatch"no
<a name="input_vpc_flow_log_iam_policy_use_name_prefix"></a> vpc_flow_log_iam_policy_use_name_prefixDetermines whether the name of the IAM policy (vpc_flow_log_iam_policy_name) is used as a prefixbooltrueno
<a name="input_vpc_flow_log_iam_role_name"></a> vpc_flow_log_iam_role_nameName to use on the VPC Flow Log IAM role createdstring"vpc-flow-log-role"no
<a name="input_vpc_flow_log_iam_role_use_name_prefix"></a> vpc_flow_log_iam_role_use_name_prefixDetermines whether the IAM role name (vpc_flow_log_iam_role_name_name) is used as a prefixbooltrueno
<a name="input_vpc_flow_log_permissions_boundary"></a> vpc_flow_log_permissions_boundaryThe ARN of the Permissions Boundary for the VPC Flow Log IAM Rolestringnullno
<a name="input_vpc_flow_log_tags"></a> vpc_flow_log_tagsAdditional tags for the VPC Flow Logsmap(string){}no
<a name="input_vpc_tags"></a> vpc_tagsAdditional tags for the VPCmap(string){}no
<a name="input_vpn_gateway_az"></a> vpn_gateway_azThe Availability Zone for the VPN Gatewaystringnullno
<a name="input_vpn_gateway_id"></a> vpn_gateway_idID of VPN Gateway to attach to the VPCstring""no
<a name="input_vpn_gateway_tags"></a> vpn_gateway_tagsAdditional tags for the VPN gatewaymap(string){}no

Outputs

NameDescription
<a name="output_azs"></a> azsA list of availability zones specified as argument to this module
<a name="output_cgw_arns"></a> cgw_arnsList of ARNs of Customer Gateway
<a name="output_cgw_ids"></a> cgw_idsList of IDs of Customer Gateway
<a name="output_database_internet_gateway_route_id"></a> database_internet_gateway_route_idID of the database internet gateway route
<a name="output_database_ipv6_egress_route_id"></a> database_ipv6_egress_route_idID of the database IPv6 egress route
<a name="output_database_nat_gateway_route_ids"></a> database_nat_gateway_route_idsList of IDs of the database nat gateway route
<a name="output_database_network_acl_arn"></a> database_network_acl_arnARN of the database network ACL
<a name="output_database_network_acl_id"></a> database_network_acl_idID of the database network ACL
<a name="output_database_route_table_association_ids"></a> database_route_table_association_idsList of IDs of the database route table association
<a name="output_database_route_table_ids"></a> database_route_table_idsList of IDs of database route tables
<a name="output_database_subnet_arns"></a> database_subnet_arnsList of ARNs of database subnets
<a name="output_database_subnet_group"></a> database_subnet_groupID of database subnet group
<a name="output_database_subnet_group_name"></a> database_subnet_group_nameName of database subnet group
<a name="output_database_subnet_objects"></a> database_subnet_objectsA list of all database subnets, containing the full objects.
<a name="output_database_subnets"></a> database_subnetsList of IDs of database subnets
<a name="output_database_subnets_cidr_blocks"></a> database_subnets_cidr_blocksList of cidr_blocks of database subnets
<a name="output_database_subnets_ipv6_cidr_blocks"></a> database_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC
<a name="output_default_network_acl_id"></a> default_network_acl_idThe ID of the default network ACL
<a name="output_default_route_table_id"></a> default_route_table_idThe ID of the default route table
<a name="output_default_security_group_id"></a> default_security_group_idThe ID of the security group created by default on VPC creation
<a name="output_default_vpc_arn"></a> default_vpc_arnThe ARN of the Default VPC
<a name="output_default_vpc_cidr_block"></a> default_vpc_cidr_blockThe CIDR block of the Default VPC
<a name="output_default_vpc_default_network_acl_id"></a> default_vpc_default_network_acl_idThe ID of the default network ACL of the Default VPC
<a name="output_default_vpc_default_route_table_id"></a> default_vpc_default_route_table_idThe ID of the default route table of the Default VPC
<a name="output_default_vpc_default_security_group_id"></a> default_vpc_default_security_group_idThe ID of the security group created by default on Default VPC creation
<a name="output_default_vpc_enable_dns_hostnames"></a> default_vpc_enable_dns_hostnamesWhether or not the Default VPC has DNS hostname support
<a name="output_default_vpc_enable_dns_support"></a> default_vpc_enable_dns_supportWhether or not the Default VPC has DNS support
<a name="output_default_vpc_id"></a> default_vpc_idThe ID of the Default VPC
<a name="output_default_vpc_instance_tenancy"></a> default_vpc_instance_tenancyTenancy of instances spin up within Default VPC
<a name="output_default_vpc_main_route_table_id"></a> default_vpc_main_route_table_idThe ID of the main route table associated with the Default VPC
<a name="output_dhcp_options_id"></a> dhcp_options_idThe ID of the DHCP options
<a name="output_egress_only_internet_gateway_id"></a> egress_only_internet_gateway_idThe ID of the egress only Internet Gateway
<a name="output_elasticache_network_acl_arn"></a> elasticache_network_acl_arnARN of the elasticache network ACL
<a name="output_elasticache_network_acl_id"></a> elasticache_network_acl_idID of the elasticache network ACL
<a name="output_elasticache_route_table_association_ids"></a> elasticache_route_table_association_idsList of IDs of the elasticache route table association
<a name="output_elasticache_route_table_ids"></a> elasticache_route_table_idsList of IDs of elasticache route tables
<a name="output_elasticache_subnet_arns"></a> elasticache_subnet_arnsList of ARNs of elasticache subnets
<a name="output_elasticache_subnet_group"></a> elasticache_subnet_groupID of elasticache subnet group
<a name="output_elasticache_subnet_group_name"></a> elasticache_subnet_group_nameName of elasticache subnet group
<a name="output_elasticache_subnet_objects"></a> elasticache_subnet_objectsA list of all elasticache subnets, containing the full objects.
<a name="output_elasticache_subnets"></a> elasticache_subnetsList of IDs of elasticache subnets
<a name="output_elasticache_subnets_cidr_blocks"></a> elasticache_subnets_cidr_blocksList of cidr_blocks of elasticache subnets
<a name="output_elasticache_subnets_ipv6_cidr_blocks"></a> elasticache_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC
<a name="output_igw_arn"></a> igw_arnThe ARN of the Internet Gateway
<a name="output_igw_id"></a> igw_idThe ID of the Internet Gateway
<a name="output_intra_network_acl_arn"></a> intra_network_acl_arnARN of the intra network ACL
<a name="output_intra_network_acl_id"></a> intra_network_acl_idID of the intra network ACL
<a name="output_intra_route_table_association_ids"></a> intra_route_table_association_idsList of IDs of the intra route table association
<a name="output_intra_route_table_ids"></a> intra_route_table_idsList of IDs of intra route tables
<a name="output_intra_subnet_arns"></a> intra_subnet_arnsList of ARNs of intra subnets
<a name="output_intra_subnet_objects"></a> intra_subnet_objectsA list of all intra subnets, containing the full objects.
<a name="output_intra_subnets"></a> intra_subnetsList of IDs of intra subnets
<a name="output_intra_subnets_cidr_blocks"></a> intra_subnets_cidr_blocksList of cidr_blocks of intra subnets
<a name="output_intra_subnets_ipv6_cidr_blocks"></a> intra_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC
<a name="output_name"></a> nameThe name of the VPC specified as argument to this module
<a name="output_nat_ids"></a> nat_idsList of allocation ID of Elastic IPs created for AWS NAT Gateway
<a name="output_nat_public_ips"></a> nat_public_ipsList of public Elastic IPs created for AWS NAT Gateway
<a name="output_natgw_ids"></a> natgw_idsList of NAT Gateway IDs
<a name="output_natgw_interface_ids"></a> natgw_interface_idsList of Network Interface IDs assigned to NAT Gateways
<a name="output_outpost_network_acl_arn"></a> outpost_network_acl_arnARN of the outpost network ACL
<a name="output_outpost_network_acl_id"></a> outpost_network_acl_idID of the outpost network ACL
<a name="output_outpost_subnet_arns"></a> outpost_subnet_arnsList of ARNs of outpost subnets
<a name="output_outpost_subnet_objects"></a> outpost_subnet_objectsA list of all outpost subnets, containing the full objects.
<a name="output_outpost_subnets"></a> outpost_subnetsList of IDs of outpost subnets
<a name="output_outpost_subnets_cidr_blocks"></a> outpost_subnets_cidr_blocksList of cidr_blocks of outpost subnets
<a name="output_outpost_subnets_ipv6_cidr_blocks"></a> outpost_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of outpost subnets in an IPv6 enabled VPC
<a name="output_private_ipv6_egress_route_ids"></a> private_ipv6_egress_route_idsList of IDs of the ipv6 egress route
<a name="output_private_nat_gateway_route_ids"></a> private_nat_gateway_route_idsList of IDs of the private nat gateway route
<a name="output_private_network_acl_arn"></a> private_network_acl_arnARN of the private network ACL
<a name="output_private_network_acl_id"></a> private_network_acl_idID of the private network ACL
<a name="output_private_route_table_association_ids"></a> private_route_table_association_idsList of IDs of the private route table association
<a name="output_private_route_table_ids"></a> private_route_table_idsList of IDs of private route tables
<a name="output_private_subnet_arns"></a> private_subnet_arnsList of ARNs of private subnets
<a name="output_private_subnet_objects"></a> private_subnet_objectsA list of all private subnets, containing the full objects.
<a name="output_private_subnets"></a> private_subnetsList of IDs of private subnets
<a name="output_private_subnets_cidr_blocks"></a> private_subnets_cidr_blocksList of cidr_blocks of private subnets
<a name="output_private_subnets_ipv6_cidr_blocks"></a> private_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC
<a name="output_public_internet_gateway_ipv6_route_id"></a> public_internet_gateway_ipv6_route_idID of the IPv6 internet gateway route
<a name="output_public_internet_gateway_route_id"></a> public_internet_gateway_route_idID of the internet gateway route
<a name="output_public_network_acl_arn"></a> public_network_acl_arnARN of the public network ACL
<a name="output_public_network_acl_id"></a> public_network_acl_idID of the public network ACL
<a name="output_public_route_table_association_ids"></a> public_route_table_association_idsList of IDs of the public route table association
<a name="output_public_route_table_ids"></a> public_route_table_idsList of IDs of public route tables
<a name="output_public_subnet_arns"></a> public_subnet_arnsList of ARNs of public subnets
<a name="output_public_subnet_objects"></a> public_subnet_objectsA list of all public subnets, containing the full objects.
<a name="output_public_subnets"></a> public_subnetsList of IDs of public subnets
<a name="output_public_subnets_cidr_blocks"></a> public_subnets_cidr_blocksList of cidr_blocks of public subnets
<a name="output_public_subnets_ipv6_cidr_blocks"></a> public_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC
<a name="output_redshift_network_acl_arn"></a> redshift_network_acl_arnARN of the redshift network ACL
<a name="output_redshift_network_acl_id"></a> redshift_network_acl_idID of the redshift network ACL
<a name="output_redshift_public_route_table_association_ids"></a> redshift_public_route_table_association_idsList of IDs of the public redshift route table association
<a name="output_redshift_route_table_association_ids"></a> redshift_route_table_association_idsList of IDs of the redshift route table association
<a name="output_redshift_route_table_ids"></a> redshift_route_table_idsList of IDs of redshift route tables
<a name="output_redshift_subnet_arns"></a> redshift_subnet_arnsList of ARNs of redshift subnets
<a name="output_redshift_subnet_group"></a> redshift_subnet_groupID of redshift subnet group
<a name="output_redshift_subnet_objects"></a> redshift_subnet_objectsA list of all redshift subnets, containing the full objects.
<a name="output_redshift_subnets"></a> redshift_subnetsList of IDs of redshift subnets
<a name="output_redshift_subnets_cidr_blocks"></a> redshift_subnets_cidr_blocksList of cidr_blocks of redshift subnets
<a name="output_redshift_subnets_ipv6_cidr_blocks"></a> redshift_subnets_ipv6_cidr_blocksList of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC
<a name="output_this_customer_gateway"></a> this_customer_gatewayMap of Customer Gateway attributes
<a name="output_vgw_arn"></a> vgw_arnThe ARN of the VPN Gateway
<a name="output_vgw_id"></a> vgw_idThe ID of the VPN Gateway
<a name="output_vpc_arn"></a> vpc_arnThe ARN of the VPC
<a name="output_vpc_cidr_block"></a> vpc_cidr_blockThe CIDR block of the VPC
<a name="output_vpc_enable_dns_hostnames"></a> vpc_enable_dns_hostnamesWhether or not the VPC has DNS hostname support
<a name="output_vpc_enable_dns_support"></a> vpc_enable_dns_supportWhether or not the VPC has DNS support
<a name="output_vpc_flow_log_cloudwatch_iam_role_arn"></a> vpc_flow_log_cloudwatch_iam_role_arnThe ARN of the IAM role used when pushing logs to Cloudwatch log group
<a name="output_vpc_flow_log_deliver_cross_account_role"></a> vpc_flow_log_deliver_cross_account_roleThe ARN of the IAM role used when pushing logs cross account
<a name="output_vpc_flow_log_destination_arn"></a> vpc_flow_log_destination_arnThe ARN of the destination for VPC Flow Logs
<a name="output_vpc_flow_log_destination_type"></a> vpc_flow_log_destination_typeThe type of the destination for VPC Flow Logs
<a name="output_vpc_flow_log_id"></a> vpc_flow_log_idThe ID of the Flow Log resource
<a name="output_vpc_id"></a> vpc_idThe ID of the VPC
<a name="output_vpc_instance_tenancy"></a> vpc_instance_tenancyTenancy of instances spin up within VPC
<a name="output_vpc_ipv6_association_id"></a> vpc_ipv6_association_idThe association ID for the IPv6 CIDR block
<a name="output_vpc_ipv6_cidr_block"></a> vpc_ipv6_cidr_blockThe IPv6 CIDR block
<a name="output_vpc_main_route_table_id"></a> vpc_main_route_table_idThe ID of the main route table associated with this VPC
<a name="output_vpc_owner_id"></a> vpc_owner_idThe ID of the AWS account that owns the VPC
<a name="output_vpc_secondary_cidr_blocks"></a> vpc_secondary_cidr_blocksList of secondary CIDR blocks of the VPC
<!-- END_TF_DOCS -->

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus