Terraform module to create public, private and public-private subnet with network acl, route table, Elastic IP, nat gateway, flow log.
We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.
This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.
This module has a few dependencies:
IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.
Here are some examples of how you can use this module in your inventory structure:
module "private-subnets" {
source = "clouddrove/terraform-aws-subnet/aws"
name = "subnets"
environment = "test"
nat_gateway_enabled = true
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
vpc_id = module.vpc.vpc_id
type = "private"
cidr_block = module.vpc.vpc_cidr_block
ipv6_cidr_block = module.vpc.ipv6_cidr_block
public_subnet_ids = ["subnet-xxxxxxxxxxxx", "subnet-xxxxxxxxxxxx"]
} module "subnets" {
source = "clouddrove/terraform-aws-subnet/aws"
name = "subnets"
environment = "test"
label_order = ["name", "environment"]
nat_gateway_enabled = true
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
vpc_id = module.vpc.vpc_id
type = "public-private"
igw_id = module.vpc.igw_id
cidr_block = module.vpc.vpc_cidr_block
ipv6_cidr_block = module.vpc.ipv6_cidr_block
enable_ipv6 = true
} module "subnets" {
source = "clouddrove/terraform-aws-subnet/aws"
name = "subnets"
environment = "test"
label_order = ["name", "environment"]
availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
vpc_id = module.vpc.vpc_id
type = "public"
igw_id = module.vpc.igw_id
ipv4_public_cidrs = ["10.0.1.0/24", "10.0.13.0/24", "10.0.18.0/24"]
enable_ipv6 = false
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| attributes | Additional attributes (e.g. 1). |
list(any) |
[] |
no |
| availability_zones | List of Availability Zones (e.g. ['us-east-1a', 'us-east-1b', 'us-east-1c']). |
list(string) |
[] |
no |
| cidr_block | Base CIDR block which is divided into subnet CIDR blocks (e.g. 10.0.0.0/16). |
string |
null |
no |
| delimiter | Delimiter to be used between organization, environment, name and attributes. |
string |
"-" |
no |
| enable | Set to false to prevent the module from creating any resources. | bool |
true |
no |
| enable_flow_log | Enable subnet_flow_log logs. | bool |
false |
no |
| enable_ipv6 | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool |
false |
no |
| enable_private_acl | Set to false to prevent the module from creating any resources. | bool |
true |
no |
| enable_public_acl | Set to false to prevent the module from creating any resources. | bool |
true |
no |
| environment | Environment (e.g. prod, dev, staging). |
string |
"" |
no |
| flow_log_destination_arn | ARN of resource in which flow log will be sent. | string |
null |
no |
| flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs | string |
"cloud-watch-logs" |
no |
| flow_log_file_format | (Optional) The format for the flow log. Valid values: plain-text, parquet |
string |
null |
no |
| flow_log_hive_compatible_partitions | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | bool |
false |
no |
| flow_log_iam_role_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | string |
null |
no |
| flow_log_log_format | The fields to include in the flow log record, in the order in which they should appear | string |
null |
no |
| flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds |
number |
600 |
no |
| flow_log_per_hour_partition | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | bool |
false |
no |
| flow_log_traffic_type | Type of traffic to capture. Valid values: ACCEPT,REJECT, ALL. | string |
"ALL" |
no |
| igw_id | Internet Gateway ID that is used as a default route when creating public subnets (e.g. igw-9c26a123). |
string |
"" |
no |
| ipv4_private_cidrs | Subnet CIDR blocks (e.g. 10.0.0.0/16). |
list(any) |
[] |
no |
| ipv4_public_cidrs | Subnet CIDR blocks (e.g. 10.0.0.0/16). |
list(any) |
[] |
no |
| ipv6_cidr_block | Base CIDR block which is divided into subnet CIDR blocks (e.g. 10.0.0.0/16). |
string |
null |
no |
| label_order | Label order, e.g. name,Environment. |
list(any) |
[ |
no |
| managedby | ManagedBy, eg 'CloudDrove'. | string |
"hello@clouddrove.com" |
no |
| map_public_ip_on_launch | Specify true to indicate that instances launched into the public subnet should be assigned a public IP address. | bool |
false |
no |
| name | Name (e.g. prod-subnet or subnet). |
string |
"" |
no |
| nat_gateway_destination_cidr_block | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | string |
"0.0.0.0/0" |
no |
| nat_gateway_enabled | Flag to enable/disable NAT Gateways creation in public subnets. | bool |
false |
no |
| private_inbound_acl_rules | Private subnets inbound network ACLs | list(map(string)) |
[ |
no |
| private_ipv6_cidrs | Private Subnet CIDR blocks (e.g. 2a05:d018:832:ca02::/64). |
list(any) |
[] |
no |
| private_outbound_acl_rules | Private subnets outbound network ACLs | list(map(string)) |
[ |
no |
| private_subnet_assign_ipv6_address_on_creation | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. | bool |
false |
no |
| private_subnet_enable_dns64 | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: true |
bool |
false |
no |
| private_subnet_enable_resource_name_dns_a_record_on_launch | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: false |
bool |
false |
no |
| private_subnet_enable_resource_name_dns_aaaa_record_on_launch | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: true |
bool |
false |
no |
| private_subnet_ipv6_native | Indicates whether to create an IPv6-only private subnet. Default: false |
bool |
false |
no |
| private_subnet_private_dns_hostname_type_on_launch | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-name |
string |
null |
no |
| public_inbound_acl_rules | Public subnets inbound network ACLs | list(map(string)) |
[ |
no |
| public_ipv6_cidrs | Public Subnet CIDR blocks (e.g. 2a05:d018:832:ca02::/64). |
list(any) |
[] |
no |
| public_outbound_acl_rules | Public subnets outbound network ACLs | list(map(string)) |
[ |
no |
| public_rt_ipv4_destination_cidr | The destination ipv4 CIDR block. | string |
"0.0.0.0/0" |
no |
| public_rt_ipv6_destination_cidr | The destination ipv6 CIDR block. | string |
"::/0" |
no |
| public_subnet_assign_ipv6_address_on_creation | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. | bool |
false |
no |
| public_subnet_enable_dns64 | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: true |
bool |
false |
no |
| public_subnet_enable_resource_name_dns_a_record_on_launch | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: false |
bool |
false |
no |
| public_subnet_enable_resource_name_dns_aaaa_record_on_launch | Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: true |
bool |
false |
no |
| public_subnet_ids | A list of public subnet ids. | list(string) |
[] |
no |
| public_subnet_ipv6_native | Indicates whether to create an IPv6-only public subnet. Default: false |
bool |
false |
no |
| public_subnet_private_dns_hostname_type_on_launch | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-name |
string |
null |
no |
| repository | Terraform current module repo | string |
"https://github.com/clouddrove/terraform-aws-subnet" |
no |
| single_nat_gateway | Enable for only single NAT Gateway in one Availability Zone | bool |
false |
no |
| tags | Additional tags (e.g. map(BusinessUnit,XYZ). |
map(any) |
{} |
no |
| type | Type of subnets to create (private or public). |
string |
"" |
no |
| vpc_id | VPC ID. | string |
n/a | yes |
| Name | Description |
|---|---|
| private_acl | The ID of the network ACL. |
| private_route_tables_id | The ID of the routing table. |
| private_subnet_cidrs | CIDR blocks of the created private subnets. |
| private_subnet_cidrs_ipv6 | CIDR blocks of the created private subnets. |
| private_subnet_id | The ID of the private subnet. |
| private_tags | A mapping of private tags to assign to the resource. |
| public_acl | The ID of the network ACL. |
| public_route_tables_id | The ID of the routing table. |
| public_subnet_cidrs | CIDR blocks of the created public subnets. |
| public_subnet_cidrs_ipv6 | CIDR blocks of the created public subnets. |
| public_subnet_id | The ID of the subnet. |
| public_tags | A mapping of public tags to assign to the resource. |
In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.
You need to run the following command in the testing folder:
go test -run TestIf you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at hello@clouddrove.com.
If you have found it worth your time, go ahead and give us a ★ on our GitHub!
At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
We are The Cloud Experts!
We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.