A terraform module which creates network skeleton on AWS with best practices in terms of network security, cost and optimization.
| Name | Version |
|---|---|
| aws | 5.82.2 |
| Terraform | >= 1.12.1 |
module "network" {
source = "OT-CLOUD-KIT/terraform-aws-network-skeleton"
# VPC
vpc_cidr = "10.0.0.0/16"
instance_tenancy = "default"
enable_dns_support = true
enable_dns_hostnames = true
cluster_name = "eks-cluster"
# Subnets
subnet_names = ["public-1", "private-1", "public-2", "private-2"]
subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24"]
subnet_azs = ["us-east-1a", "us-east-1a", "us-east-1b", "us-east-1b"]
public_subnet_indexes = [0, 2]
# Route Tables
public_rt_cidr_block = "0.0.0.0/0"
private_rt_cidr_block = "0.0.0.0/0"
# NAT Gateway
create_nat_gateway = true
# NACL
create_nacl = true
nacl_names = ["public", "private", "application", "database"]
nacl_rules = {
public = {
subnet_index = [0]
ingress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "0.0.0.0/0", from_port = 22, to_port = 22 },
{ protocol = "tcp", rule_no = 110, action = "allow", cidr_block = "0.0.0.0/0", from_port = 1024, to_port = 65535 },
{ protocol = "-1", rule_no = 120, action = "allow", cidr_block = "0.0.0.0/0", from_port = 0, to_port = 0 }
]
egress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "0.0.0.0/0", from_port = 1024, to_port = 65535 },
{ protocol = "-1", rule_no = 110, action = "allow", cidr_block = "0.0.0.0/0", from_port = 0, to_port = 0 }
]
}
private = {
subnet_index = [1]
ingress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 22, to_port = 22 },
{ protocol = "tcp", rule_no = 110, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
egress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
}
application = {
subnet_index = [2]
ingress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 22, to_port = 22 },
{ protocol = "tcp", rule_no = 110, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
egress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
}
database = {
subnet_index = [3]
ingress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 22, to_port = 22 },
{ protocol = "tcp", rule_no = 110, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
egress_rules = [
{ protocol = "tcp", rule_no = 100, action = "allow", cidr_block = "10.0.0.0/16", from_port = 1024, to_port = 65535 }
]
}
}
# Flow Logs
flow_logs_enabled = true
flow_logs_traffic_type = "ALL"
flow_logs_file_format = "parquet"
# Route53
create_route53 = false
route53_zone = "example.internal"
# Endpoints
enable_s3_endpoint = true
service_name_s3 = "com.amazonaws.us-east-1.s3"
s3_endpoint_type = "Gateway"
enable_ec2_endpoint = true
service_name_ec2 = "com.amazonaws.us-east-1.ec2"
ec2_endpoint_type = "Interface"
ec2_private_dns_enabled = true
enable_nlb_endpoint = false
service_name_nlb = "com.amazonaws.us-east-2.elasticloadbalancing"
nlb_endpoint_type = "Interface"
nlb_private_dns_enabled = true
endpoint_sg_id = module.endpoint_security_group.sg_id
# ALB
create_alb = true
internal = false
alb_sg_id = module.alb_security_group.sg_id
enable_deletion_protection = false
access_logs = {
enabled = false
bucket = ""
prefix = ""
}
alb_certificate_arn = ""
# NLB
create_nlb = true
is_internal = false
nlb_sg_id = module.nlb_security_group.sg_id
# Tags
bu = "ot"
program = "ot"
app = "bp"
env = "d"
team = "infra"
region = "us-east-1"
# Key Pair
create_key_pair = true
create_private_key = true
key_pair_name = "otbp-key"
private_key_algorithm = "RSA"
private_key_rsa_bits = 4096
public_key_path = ""
key_output_dir = "/home/nikita/Downloads/terraform_code/keys"
}
| Name | Type |
|---|---|
| aws_eip.nat | resource |
| aws_flow_log.vpc_flow_log | resource |
| aws_internet_gateway.igw | resource |
| aws_main_route_table_association.default_public_route | resource |
| aws_nat_gateway.nat_gateway | resource |
| aws_route.additional_private_route | resource |
| aws_route.additional_public_route | resource |
| aws_route.default_public_route | resource |
| aws_route.private_route_nat_association | resource |
| aws_route53_zone.vpc_route53 | resource |
| aws_route_table.private_route_table | resource |
| aws_route_table.public_route_table | resource |
| aws_route_table_association.database_route_table_association | resource |
| aws_route_table_association.private_route_table_association | resource |
| aws_route_table_association.public_subnets_association | resource |
| aws_s3_bucket.flow_logs_bucket | resource |
| aws_subnet.database_subnet | resource |
| aws_subnet.private_subnet | resource |
| aws_subnet.public_subnet | resource |
| aws_vpc.vpc | resource |
| aws_caller_identity.current_account | data source |
| aws_lb | resource |
| aws_lb_listener | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_private_routes | List of private subnets routes with map | list(object({ |
[] |
no |
| additional_public_routes | List of public subnets routes with map | map(object({ |
{} |
no |
| azs | A list of availability zones names or ids in the region | list(string) |
[] |
no |
| cidr_block | The IPv4 CIDR block for the VPC. | string |
"10.0.0.0/16" |
no |
| database_subnets | A list of database subnets inside the VPC | list(string) |
[] |
no |
| database_subnets_tags | Additional tags for the database subnets | map(string) |
{} |
no |
| enable_network_address_usage_metrics | Determines whether network address usage metrics are enabled for the VPC | bool |
false |
no |
| flow_logs_enabled | Whether to enable VPC flow logs or not | bool |
false |
no |
| flow_logs_file_format | The format for the flow log. Valid values: plain-text, parquet | string |
"parquet" |
no |
| flow_logs_traffic_type | The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL | string |
"ALL" |
no |
| instance_tenancy | A tenancy option for instances launched into the VPC | string |
"default" |
no |
| name | Name to be used on all the resources as identifier | string |
n/a | yes |
| private_subnets | A list of private subnets inside the VPC | list(string) |
[] |
no |
| private_subnets_tags | Additional tags for the private subnets | map(string) |
{} |
no |
| public_subnets | A list of public subnets inside the VPC | list(string) |
[] |
no |
| public_subnets_tags | Additional tags for the public subnets | map(string) |
{} |
no |
| route53_zone | Name of the private route53 hosted zone | string |
"non-prod.internal" |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| vpc_tags | Additional tags for the VPC | map(string) |
{} |
no |
| Name | Description |
|---|---|
| vpc_id | ID of the VPC |
| vpc_cidr_block | CIDR block of the VPC |
| igw_id | Internet Gateway ID |
| nat_gateway_ids | List of NAT Gateway IDs |
| public_rt_id | Public route table ID |
| private_rt_id | Private route table ID |
| flow_logs_bucket_arn | ARN of the Flow Logs S3 bucket |
| vpc_flow_log_arn | ARN of the VPC flow log |
| route53_zone_id | Private Route53 Zone ID |
| s3_endpoint | S3 VPC endpoint details |
| ec2_endpoint | EC2 VPC endpoint details |
| nlb_endpoint | NLB VPC endpoint details |
| alb_arn | ARN of the ALB |
| alb_dns_name | DNS name of the ALB |
| alb_zone_id | Zone ID of the ALB |
| alb_http_listener_arn | HTTP Listener ARN for ALB |
| alb_https_listener_arn | HTTPS Listener ARN for ALB |
| nlb_arn | ARN of the NLB |
| alb_sg_id | Security Group ID for ALB |
| nlb_sg_id | Security Group ID for NLB |
| endpoint_sg_id | Security Group ID for Endpoint |
| created_key_pair_name | Name of the created key pair |
| generated_private_key_path | Path of the generated private key |
| subnet_ids | Map of subnet names to subnet IDs |