- Terraform. This module currently tested on
0.11.14
Terraform module to create all mandatory VPC components.
This module supports either single-tier (only public subnet) or multi-tier (public-app-data subnets) VPC creation. This module supports only up to 4 AZs.
module "abc_dev" {
source = "traveloka/vpc/aws"
version = "v0.2.3"
product_domain = "abc"
environment = "dev"
vpc_name = "abc-dev"
vpc_cidr_block = "172.16.0.0/16"
}We use multi-tier architecture for our VPC design. This design divides the infrastructure into three layers:
- Public tier: entrypoint for public-facing client. Using public subnet since resources in this tier will be discoverable through Internet. Examples: external load balancer, bastion, etc.
- Application Tier: this is where the business logic services life and communicate each others. This tier using private subnet, hence it's only accessible through private network.
- Database Tier: this is where databases life. Application and databases are seperated to have clear boundaries and secure access through application tier.
Benefits or having multi-tier architecture are:
- Scalable
- Gives us high availability and redundancy
- Fit with microservices architecture
- Clear boundaries between public-facing, business logic, and data storage
- Secure and reduce risk, because by default any services life at private subnet, and database only accessible through the application tier.
In some cases, you will need a VPC which has only public subnets.
module "abc_dev" {
source = "traveloka/vpc/aws"
version = "v0.2.3"
# you only need to add this line
vpc_multi_tier = false
# ... omitted
}In some situations (it is not always happening), you will get some errors from Terraform when you set vpc_multi_tier = false.
It happens because several resources were not created but stated as the outputs.
Currrently Terraform does not allow count inside output block, so now it is inevitable.
But don't worry, the errors have nothing to do with the stacks/resources/infrastructures that you created.
Just re-execute terraform apply and you will be fine.
| Name | Version |
|---|---|
| aws | n/a |
| random | >= 1.1, < 3.0.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tags | A map of additional tags to add to all resources | map |
{} |
no |
| environment | Type of environment these resources belong to. | string |
n/a | yes |
| flow_logs_log_group_retention_period | Specifies the number of days you want to retain log events in the specified log group. | string |
"14" |
no |
| product_domain | Product domain these resources belong to. | string |
n/a | yes |
| subnet_availability_zones | List of AZs to spread VPC subnets over. | list |
[ |
no |
| vpc_cidr_block | The CIDR block for the VPC. | string |
n/a | yes |
| vpc_enable_dns_hostnames | A boolean flag to enable/disable DNS hostnames in the VPC. Defaults true. | string |
"true" |
no |
| vpc_enable_dns_support | A boolean flag to enable/disable DNS support in the VPC. Defaults true. | string |
"true" |
no |
| vpc_multi_tier | Whether this VPC should have 3 tiers. True means 3-tier, false means single-tier. Defaults true. Recommended value is true. | string |
"true" |
no |
| vpc_name | The name of the VPC. This name will be used as the prefix for all VPC components. | string |
n/a | yes |
| Name | Description |
|---|---|
| aws_account_id | The AWS Account ID number of the account that owns or contains the calling entity. |
| aws_caller_arn | The AWS ARN associated with the calling entity. |
| aws_caller_user_id | The unique identifier of the calling entity. |
| db_subnet_group_arn | The ARN of the db subnet group. |
| db_subnet_group_name | The db subnet group name. |
| eip_nat_ids | List of Elastic IP allocation IDs for NAT Gateway. |
| eip_nat_public_ips | List of Elastic IP public IPs for NAT Gateway. |
| elasticache_subnet_group_name | The elasticache subnet group name. |
| flow_logs_iam_role_arn | The Amazon Resource Name (ARN) specifying the role for VPC Flow Logs. |
| flow_logs_iam_role_create_date | The creation date of the IAM role for VPC Flow Logs. |
| flow_logs_iam_role_description | The description of the role for VPC Flow Logs. |
| flow_logs_iam_role_name | The name of the role for VPC Flow Logs. |
| flow_logs_iam_role_unique_id | The stable and unique string identifying the role for VPC Flow Logs. |
| flow_logs_log_group_arn | The Amazon Resource Name (ARN) specifying the log group for VPC Flow Logs. |
| igw_id | The ID of the Internet Gateway. |
| nat_ids | List of NAT Gateway IDs |
| nat_network_interface_ids | List of ENI IDs of the network interface created by the NAT gateway. |
| nat_private_ips | List of private IP addresses of the NAT Gateway. |
| redshift_subnet_group_id | The Redshift Subnet group ID. |
| region_ec2_endpoint | The EC2 endpoint for the selected region. |
| region_name | The name of the selected region. |
| rtb_app_ids | List of IDs of app route tables |
| rtb_data_ids | List of IDs of data route tables |
| rtb_public_id | ID of public route table |
| subnet_app_cidr_blocks | List of cidr_blocks of app subnets. |
| subnet_app_ids | List of IDs of app subnets. |
| subnet_data_cidr_blocks | List of cidr_blocks of data subnets. |
| subnet_data_ids | List of IDs of data subnets. |
| subnet_public_cidr_blocks | List of cidr_blocks of public subnets. |
| subnet_public_ids | List of IDs of public subnets. |
| vpc_cidr_block | The CIDR block of the VPC. |
| vpc_default_network_acl_id | The ID of the network ACL created by default on VPC creation. |
| vpc_default_route_table_id | The ID of the route table created by default on VPC creation. |
| vpc_default_security_group_id | The ID of the security group created by default on VPC creation. |
| vpc_enable_classiclink | Whether or not the VPC has Classiclink enabled. |
| vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support. |
| vpc_enable_dns_support | Whether or not the VPC has DNS support. |
| vpc_id | The ID of the VPC. |
| vpc_instance_tenancy | Tenancy of instances spin up within VPC. |
| vpc_main_route_table_id | The ID of the main route table associated with this VPC. |
| vpc_multi_tier | Whether or not the VPC has Multi Tier subnets. |
| vpce_dynamodb_cidr_blocks | The list of CIDR blocks for DynamoDB service. |
| vpce_dynamodb_id | The ID of VPC endpoint for DynamoDB |
| vpce_dynamodb_prefix_list_id | The prefix list for the DynamoDB VPC endpoint. |
| vpce_s3_cidr_blocks | The list of CIDR blocks for S3 service. |
| vpce_s3_id | The ID of VPC endpoint for S3 |
| vpce_s3_prefix_list_id | The prefix list for the S3 VPC endpoint. |
See CONTRIBUTING.md
Apache 2 Licensed. See LICENSE for full details.