This Terraform module creates a configurable general purpose Amazon Web Services VPC. The module offers an opinionated but flexible network topography geared towards general purpose situations with separate public and private subnets. Each VPC can be configured to support one to four availability zones. Private subnet NAT can be configured via NAT Gateways. A single Internet Gateway is created to provide public routing for public subnets. The module does not configure a bastion or VPN instance for private subnet instance access.

This module has been tested with Terraform version 0.12.9

• Include the module in your main.tf:

module "vpc" {
  source = "git::ssh://[email protected]/reactiveops/terraform-vpc.git?ref=3.0.0"

  aws_region = var.aws_region

  az_count =  var.az_count
  aws_azs = var.aws_azs

  vpc_cidr_base = var.vpc_cidr_base

}

• Create the required variables either in main.tf or a separate variables.tf file:

variable "aws_region" {}

variable "aws_azs" {}
variable "az_count" {}

variable "vpc_cidr_base" {}

• Assign variable values, for example in a terraform.tfvars file:

aws_azs = "us-west-2a, us-west-2b, us-west-2c, us-west-2d"
az_count = 3
vpc_cidr_base = "10.0"

This repo contains a few example *.tfvars.examples files showing example variable configurations.

Generated VPC's will have a /16 CIDR block providing up to 65,536 IP addresses. Choose the IP range you want by setting the vpc_cidr_base variable to the first two numbers of the desired IP range. All subnets will use IP CIDR's built on this pattern.

vpc_cidr_base = "10.1"

The following subnets will be created in each AZ:

• Public
  • Resources requiring public IP addresses such as VPN/bastion instances and Elastic Load Balancers.
• Private working
  • Internal non-production resources such as web servers and database instances.
• Private production
  • Internal production resources such as web servers and database instances.
• Private admin
  • Internal shared administrative resources such as build server instances.

Each subnet will be a /21 block providing up to 2,048 IP addresses per subnet and AZ.

Your VPC can span between one and four AZ's. You can select the specific AZ's that should be used.

aws_azs = "us-west-2a, us-west-2b, us-west-2c, us-west-2d"
az_count = 4

multi_az_nat_gateway

Ideally, in a multi-AZ setup, there is at least one NAT Gateway residing in each availability zone. This allows the outbound traffic from private subnets in each AZ to function independently, and allow for some resilience in-case of an AZ outage.

single_nat_gateway

In some cases, it may be necessary to use a single NAT Gateway, in a single AZ, to pass all outbound traffic from the VPC. This is usually a result of more than one private subnet needing to share a single route table. Concessions must be made in this situation since a route table can only contain a single default route. This configuration introduces a single point of failure (SPOF) in to a multi-AZ environment and should be used only when necessary.

Default values assume a multi-AZ NAT Gateway configuration:

variable "multi_az_nat_gateway" {
  description = "place a NAT gateway in each AZ"
  default = 1
}

variable "single_nat_gateway" {
  description = "use a single NAT gateway to serve outbound traffic for all AZs"
  default = 0
}

To use a single NAT gateway, set multi_az_nat_gateway = 0 and single_nat_gateway = 1 in terraform.tfvars

VPC Gateway Endpoints route traffic to S3 or DynamoDB services over private networks avoiding NAT gateways and associated data processing charges on private subnets. Gateway endpoints are similar to NAT and Internet Gateways. There is a gateway endpoint resource and route table entries to direct specific traffic to them.

Setting TF variable enable_s3_vpc_endpoint to a truthy value creates an S3 VPC gateway endpoint and adds routes to all private subnet route tables. With this enabled all S3 traffic will route over private networks.

Considerations when enabling:

• There is no additional cost for having this enabled.
• ENABLING WILL DISRUPT CONNECTIONS When initially enabling this any inflight S3 connections in the VPC will be interrupted.
• [DNS resolution must be enabled for the VPC].(https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-limitations)

By default when enabled all private subnet route tables will get a route for the S3 endpoint. You can pass additional route table ids for additional routes to be created. This is useful for route tables managed by Kops for example.

Each endpoint has an associated IAM style policy attached. This module's default policy allows all access but can be overriden via TF variable s3_vpc_endpoint_policy. S3 bucket and IAM policies still apply. The endpoint policy is an additional limitation for connections through the endpoint.

The subnets created can include custom tags by setting variables of the form SUBNETNAME_subnet_tags.

The routing tables can include custom tags by setting variables of the form TABLENAME_route_table_tags.

The internet gateway can be tagged with the variable internet_gateway_tags

Please read the code of conduct.

This repo contains a few .tfvars.example files in the root illustrating different module usage configuration patterns. Each .tfvars.example file has a corresponding tfplan output file under test/fixtures representing the expected output. The project Makefile includes targets for installing a specific version of Terraform and comparing results of a terraform plan against expected output files.

Running make test requires an actual AWS account for plan generation. The AWS account used requires read-only access to VPC/EC2 resources. No changes are applied. Credentials should be inferred from your awscli config, usually found in ~/.aws/config.

> make test

Makefile defaults expect execution on OS X. To execute on Linux:

> make test TF_PLATFORM=Linux

The goal of the Fairwinds Community is to exchange ideas, influence the open source roadmap, and network with fellow Kubernetes users. Chat with us on Slack join the user group to get involved!

Enjoying terraform-vpc? Check out some of our other projects:

• Polaris - Audit, enforce, and build policies for Kubernetes resources, including over 20 built-in checks for best practices
• Goldilocks - Right-size your Kubernetes Deployments by compare your memory and CPU settings against actual usage
• Pluto - Detect Kubernetes resources that have been deprecated or removed in future versions
• Nova - Check to see if any of your Helm charts have updates available
• rbac-manager - Simplify the management of RBAC in your Kubernetes clusters