diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 6b6c9cec0..bd5f2df7c 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -8,7 +8,7 @@ jobs:
lock:
runs-on: ubuntu-latest
steps:
- - uses: dessant/lock-threads@v4
+ - uses: dessant/lock-threads@v5
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
issue-comment: >
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index cb32a0f81..3973df443 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -14,7 +14,7 @@ jobs:
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- - uses: amannn/action-semantic-pull-request@v5.0.2
+ - uses: amannn/action-semantic-pull-request@v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
index cb8267134..c2632d1a4 100644
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -8,7 +8,7 @@ on:
env:
TERRAFORM_DOCS_VERSION: v0.16.0
- TFLINT_VERSION: v0.44.1
+ TFLINT_VERSION: v0.50.3
jobs:
collectInputs:
@@ -18,11 +18,11 @@ jobs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Get root directories
id: dirs
- uses: clowdhaus/terraform-composite-actions/directories@v1.8.3
+ uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
preCommitMinVersions:
name: Min TF pre-commit
@@ -32,19 +32,27 @@ jobs:
matrix:
directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
steps:
+ # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+ - name: Delete huge unnecessary tools folder
+ run: |
+ rm -rf /opt/hostedtoolcache/CodeQL
+ rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
+ rm -rf /opt/hostedtoolcache/Ruby
+ rm -rf /opt/hostedtoolcache/go
+
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
- name: Terraform min/max versions
id: minMax
- uses: clowdhaus/terraform-min-max@v1.2.4
+ uses: clowdhaus/terraform-min-max@v1.3.0
with:
directory: ${{ matrix.directory }}
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory != '.' }}
- uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
@@ -53,7 +61,7 @@ jobs:
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory == '.' }}
- uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
@@ -64,18 +72,26 @@ jobs:
runs-on: ubuntu-latest
needs: collectInputs
steps:
+ # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+ - name: Delete huge unnecessary tools folder
+ run: |
+ rm -rf /opt/hostedtoolcache/CodeQL
+ rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
+ rm -rf /opt/hostedtoolcache/Ruby
+ rm -rf /opt/hostedtoolcache/go
+
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}
- name: Terraform min/max versions
id: minMax
- uses: clowdhaus/terraform-min-max@v1.2.4
+ uses: clowdhaus/terraform-min-max@v1.3.0
- name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
- uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
+ uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.maxVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 81f674740..4a9422614 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,18 +20,18 @@ jobs:
if: github.repository_owner == 'terraform-aws-modules'
steps:
- name: Checkout
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- name: Release
- uses: cycjimmy/semantic-release-action@v3
+ uses: cycjimmy/semantic-release-action@v4
with:
- semantic_version: 18.0.0
+ semantic_version: 23.0.2
extra_plugins: |
- @semantic-release/changelog@6.0.0
- @semantic-release/git@10.0.0
- conventional-changelog-conventionalcommits@4.6.3
+ @semantic-release/changelog@6.0.3
+ @semantic-release/git@10.0.1
+ conventional-changelog-conventionalcommits@7.0.2
env:
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml
index 50379957f..6ccd0ed85 100644
--- a/.github/workflows/stale-actions.yaml
+++ b/.github/workflows/stale-actions.yaml
@@ -7,7 +7,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- - uses: actions/stale@v6
+ - uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 0f3428382..395404e80 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,9 +1,8 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.81.0
+ rev: v1.88.0
hooks:
- id: terraform_fmt
- - id: terraform_validate
- id: terraform_docs
args:
- '--args=--lockfile=false'
@@ -22,8 +21,11 @@ repos:
- '--args=--only=terraform_required_providers'
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
+ - '--args=--only=terraform_unused_required_providers'
+ - id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.4.0
+ rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
+ - id: trailing-whitespace
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 76a37073a..f2c9ad330 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,83 @@
All notable changes to this project will be documented in this file.
+## [5.7.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.0...v5.7.1) (2024-04-06)
+
+
+### Bug Fixes
+
+* Create the same number of IPv6 egress only gateway routes as the number of NAT gateways that are enabled/created ([#1059](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1059)) ([77df552](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/77df552a8aa43bb3711243a3a5ef3e29f70a4068))
+
+## [5.7.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.6.0...v5.7.0) (2024-03-22)
+
+
+### Features
+
+* Allow setting vpc endpoints as an input for each endpoint ([#1056](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1056)) ([9163310](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/9163310db647ed98094319980bd8eef72bee492b))
+
+## [5.6.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.3...v5.6.0) (2024-03-14)
+
+
+### Features
+
+* Support VPC flow log cloudwatch log group class ([#1053](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1053)) ([e2970fd](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/e2970fd747bbf5d0b1539f7bbbdced56977a1bdf))
+
+## [5.5.3](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.2...v5.5.3) (2024-03-06)
+
+
+### Bug Fixes
+
+* Update CI workflow versions to remove deprecated runtime warnings ([#1052](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1052)) ([3b5b7f1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/3b5b7f1fea768c6c933ea1ce2f8ee11250fa94cb))
+
+### [5.5.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.1...v5.5.2) (2024-02-09)
+
+
+### Bug Fixes
+
+* Added create_before_destroy to aws_customer_gateway ([#1036](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1036)) ([5f5df57](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/5f5df571925895ad1fdf5a3bd04e539aa13f5a1d))
+
+### [5.5.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.0...v5.5.1) (2024-01-13)
+
+
+### Bug Fixes
+
+* Correct VPC endpoint private DNS resolver `for_each` key ([#1029](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1029)) ([a837be1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/a837be12882c8f74984620752937b4806da2d6d4))
+
+## [5.5.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.4.0...v5.5.0) (2024-01-09)
+
+
+### Features
+
+* Add support for `dns_options` on VPC endpoints ([#1023](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1023)) ([32f853f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/32f853f4c099ad134d9c739d585c42a7c06a797b))
+
+## [5.4.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.3.0...v5.4.0) (2023-12-11)
+
+
+### Features
+
+* Add Cross Account Flow Support ([#1014](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1014)) ([6e25437](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/6e25437b16955b9393348d91965ead2f755fb2e0))
+
+## [5.3.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.2.0...v5.3.0) (2023-12-11)
+
+
+### Features
+
+* Add NAT gateway interface ids output ([#1006](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1006)) ([898bbaf](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/898bbaf46ba8ebad54983d63fa9e8eac6456903b))
+
+## [5.2.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.2...v5.2.0) (2023-11-18)
+
+
+### Features
+
+* Add `skip_destroy` to vpc flow log cloudwatch log group ([#1009](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1009)) ([abe2c0f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/abe2c0fcd23f1adfcb6e3a7739811e2482e2d197))
+
+### [5.1.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.1...v5.1.2) (2023-09-07)
+
+
+### Bug Fixes
+
+* The number of intra subnets should not influence the number of NAT gateways provisioned ([#968](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/968)) ([1e36f9f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/1e36f9f8a01eb26be83d8e1ce2227a6890390b0e))
+
### [5.1.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.0...v5.1.1) (2023-07-25)
diff --git a/README.md b/README.md
index 73c591304..ca7fdffbf 100644
--- a/README.md
+++ b/README.md
@@ -256,13 +256,13 @@ Full contributing [guidelines are covered here](.github/contributing.md).
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
@@ -379,7 +379,9 @@ No modules.
| [database\_dedicated\_network\_acl](#input\_database\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for database subnets | `bool` | `false` | no |
| [database\_inbound\_acl\_rules](#input\_database\_inbound\_acl\_rules) | Database subnets inbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
| [database\_outbound\_acl\_rules](#input\_database\_outbound\_acl\_rules) | Database subnets outbound network ACL rules | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [database\_route\_table\_names](#input\_database\_route\_table\_names) | Explicit values to use in the Name tag on database route tables. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| [database\_route\_table\_tags](#input\_database\_route\_table\_tags) | Additional tags for the database route tables | `map(string)` | `{}` | no |
+| [database\_route\_table\_tags\_per\_subnet](#input\_database\_route\_table\_tags\_per\_subnet) | Additional tags for the database route tables, if specified then must have a length equal to the number of database subnets | `list(map(string))` | `[]` | no |
| [database\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_database\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| [database\_subnet\_enable\_dns64](#input\_database\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| [database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_database\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
@@ -392,6 +394,7 @@ No modules.
| [database\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_database\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no |
| [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no |
+| [database\_subnet\_tags\_per\_subnet](#input\_database\_subnet\_tags\_per\_subnet) | Additional tags for the database subnets, if specified then must have a length equal to the number of database subnets | `list(map(string))` | `[]` | no |
| [database\_subnets](#input\_database\_subnets) | A list of database subnets inside the VPC | `list(string)` | `[]` | no |
| [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | [
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no |
| [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | [
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no |
@@ -432,6 +435,7 @@ No modules.
| [elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
| [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
+| [elasticache\_subnet\_tags\_per\_subnet](#input\_elasticache\_subnet\_tags\_per\_subnet) | Additional tags for the elasticache subnets, if specified then must have a length equal to the number of elasticache subnets | `list(map(string))` | `[]` | no |
| [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets inside the VPC | `list(string)` | `[]` | no |
| [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no |
| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `true` | no |
@@ -445,12 +449,15 @@ No modules.
| [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no |
| [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no |
| [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no |
+| [flow\_log\_cloudwatch\_log\_group\_class](#input\_flow\_log\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no |
| [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no |
| [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no |
| [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no |
| [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no |
+| [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no |
+| [flow\_log\_deliver\_cross\_account\_role](#input\_flow\_log\_deliver\_cross\_account\_role) | (Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts. | `string` | `null` | no |
| [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no |
-| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
+| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no |
| [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no |
| [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no |
| [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no |
@@ -474,6 +481,7 @@ No modules.
| [intra\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_intra\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no |
| [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
+| [intra\_subnet\_tags\_per\_subnet](#input\_intra\_subnet\_tags\_per\_subnet) | Additional tags for the intra subnets, if specified then must have a length equal to the number of intra subnets | `list(map(string))` | `[]` | no |
| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets inside the VPC | `list(string)` | `[]` | no |
| [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR | `string` | `null` | no |
| [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id | `number` | `null` | no |
@@ -489,8 +497,12 @@ No modules.
| [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no |
| [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
| [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no |
+| [nat\_eip\_tags\_per\_az](#input\_nat\_eip\_tags\_per\_az) | Additional tags for the NAT EIPs where the primary key is the AZ | `map(map(string))` | `{}` | no |
+| [nat\_eip\_tags\_per\_subnet](#input\_nat\_eip\_tags\_per\_subnet) | Additional tags for the NAT EIPs, if specified then must have a length equal to the number of private subnets | `list(map(string))` | `[]` | no |
| [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | `string` | `"0.0.0.0/0"` | no |
| [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no |
+| [nat\_gateway\_tags\_per\_az](#input\_nat\_gateway\_tags\_per\_az) | Additional tags for the NAT gateways where the primary key is the AZ | `map(map(string))` | `{}` | no |
+| [nat\_gateway\_tags\_per\_subnet](#input\_nat\_gateway\_tags\_per\_subnet) | Additional tags for the NAT gateways, if specified then must have a length equal to the number of private subnets | `list(map(string))` | `[]` | no |
| [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs` | `bool` | `false` | no |
| [outpost\_acl\_tags](#input\_outpost\_acl\_tags) | Additional tags for the outpost subnets network ACL | `map(string)` | `{}` | no |
| [outpost\_arn](#input\_outpost\_arn) | ARN of Outpost you want to create a subnet in | `string` | `null` | no |
@@ -508,12 +520,15 @@ No modules.
| [outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| [outpost\_subnet\_suffix](#input\_outpost\_subnet\_suffix) | Suffix to append to outpost subnets name | `string` | `"outpost"` | no |
| [outpost\_subnet\_tags](#input\_outpost\_subnet\_tags) | Additional tags for the outpost subnets | `map(string)` | `{}` | no |
+| [outpost\_subnet\_tags\_per\_subnet](#input\_outpost\_subnet\_tags\_per\_subnet) | Additional tags for the outpost subnets, if specified then must have a length equal to the number of outpost subnets | `list(map(string))` | `[]` | no |
| [outpost\_subnets](#input\_outpost\_subnets) | A list of outpost subnets inside the VPC | `list(string)` | `[]` | no |
| [private\_acl\_tags](#input\_private\_acl\_tags) | Additional tags for the private subnets network ACL | `map(string)` | `{}` | no |
| [private\_dedicated\_network\_acl](#input\_private\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for private subnets | `bool` | `false` | no |
| [private\_inbound\_acl\_rules](#input\_private\_inbound\_acl\_rules) | Private subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
| [private\_outbound\_acl\_rules](#input\_private\_outbound\_acl\_rules) | Private subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
+| [private\_route\_table\_names](#input\_private\_route\_table\_names) | Explicit values to use in the Name tag on private route tables. If empty, Name tags are generated. | `list(string)` | `[]` | no |
| [private\_route\_table\_tags](#input\_private\_route\_table\_tags) | Additional tags for the private route tables | `map(string)` | `{}` | no |
+| [private\_route\_table\_tags\_per\_subnet](#input\_private\_route\_table\_tags\_per\_subnet) | Additional tags for the private route tables, if specified then must have a length equal to the number of private subnets | `list(map(string))` | `[]` | no |
| [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false` | `bool` | `false` | no |
| [private\_subnet\_enable\_dns64](#input\_private\_subnet\_enable\_dns64) | Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true` | `bool` | `true` | no |
| [private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch](#input\_private\_subnet\_enable\_resource\_name\_dns\_a\_record\_on\_launch) | Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false` | `bool` | `false` | no |
@@ -525,6 +540,7 @@ No modules.
| [private\_subnet\_suffix](#input\_private\_subnet\_suffix) | Suffix to append to private subnets name | `string` | `"private"` | no |
| [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no |
| [private\_subnet\_tags\_per\_az](#input\_private\_subnet\_tags\_per\_az) | Additional tags for the private subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
+| [private\_subnet\_tags\_per\_subnet](#input\_private\_subnet\_tags\_per\_subnet) | Additional tags for the private subnets, if specified then must have a length equal to the number of private subnets | `list(map(string))` | `[]` | no |
| [private\_subnets](#input\_private\_subnets) | A list of private subnets inside the VPC | `list(string)` | `[]` | no |
| [propagate\_intra\_route\_tables\_vgw](#input\_propagate\_intra\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
| [propagate\_private\_route\_tables\_vgw](#input\_propagate\_private\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
@@ -545,6 +561,7 @@ No modules.
| [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no |
| [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no |
| [public\_subnet\_tags\_per\_az](#input\_public\_subnet\_tags\_per\_az) | Additional tags for the public subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
+| [public\_subnet\_tags\_per\_subnet](#input\_public\_subnet\_tags\_per\_subnet) | Additional tags for the public subnets, if specified then must have a length equal to the number of public subnets | `list(map(string))` | `[]` | no |
| [public\_subnets](#input\_public\_subnets) | A list of public subnets inside the VPC | `list(string)` | `[]` | no |
| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
| [redshift\_acl\_tags](#input\_redshift\_acl\_tags) | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no |
@@ -564,6 +581,7 @@ No modules.
| [redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
| [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
| [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
+| [redshift\_subnet\_tags\_per\_subnet](#input\_redshift\_subnet\_tags\_per\_subnet) | Additional tags for the redshift subnets, if specified then must have a length equal to the number of redshift subnets | `list(map(string))` | `[]` | no |
| [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no |
| [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
@@ -636,6 +654,7 @@ No modules.
| [nat\_ids](#output\_nat\_ids) | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
| [natgw\_ids](#output\_natgw\_ids) | List of NAT Gateway IDs |
+| [natgw\_interface\_ids](#output\_natgw\_interface\_ids) | List of Network Interface IDs assigned to NAT Gateways |
| [outpost\_network\_acl\_arn](#output\_outpost\_network\_acl\_arn) | ARN of the outpost network ACL |
| [outpost\_network\_acl\_id](#output\_outpost\_network\_acl\_id) | ID of the outpost network ACL |
| [outpost\_subnet\_arns](#output\_outpost\_subnet\_arns) | List of ARNs of outpost subnets |
@@ -680,6 +699,7 @@ No modules.
| [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
| [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |
| [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
+| [vpc\_flow\_log\_deliver\_cross\_account\_role](#output\_vpc\_flow\_log\_deliver\_cross\_account\_role) | The ARN of the IAM role used when pushing logs cross account |
| [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs |
| [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs |
| [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource |
diff --git a/examples/complete/README.md b/examples/complete/README.md
index d6e4eb4a8..fbe618488 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 514355631..204489880 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -102,8 +102,12 @@ module "vpc_endpoints" {
endpoints = {
s3 = {
- service = "s3"
- tags = { Name = "s3-vpc-endpoint" }
+ service = "s3"
+ private_dns_enabled = true
+ dns_options = {
+ private_dns_only_for_inbound_resolver_endpoint = false
+ }
+ tags = { Name = "s3-vpc-endpoint" }
},
dynamodb = {
service = "dynamodb"
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/ipam/README.md b/examples/ipam/README.md
index 07373875a..ce1070c5a 100644
--- a/examples/ipam/README.md
+++ b/examples/ipam/README.md
@@ -30,13 +30,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/ipam/versions.tf b/examples/ipam/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/ipam/versions.tf
+++ b/examples/ipam/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/ipv6-dualstack/README.md b/examples/ipv6-dualstack/README.md
index 3318683ec..5b5c17c09 100644
--- a/examples/ipv6-dualstack/README.md
+++ b/examples/ipv6-dualstack/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/ipv6-dualstack/versions.tf b/examples/ipv6-dualstack/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/ipv6-dualstack/versions.tf
+++ b/examples/ipv6-dualstack/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/ipv6-only/README.md b/examples/ipv6-only/README.md
index eb8cea2e0..e4fea6c43 100644
--- a/examples/ipv6-only/README.md
+++ b/examples/ipv6-only/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/ipv6-only/versions.tf b/examples/ipv6-only/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/ipv6-only/versions.tf
+++ b/examples/ipv6-only/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/issues/README.md b/examples/issues/README.md
index 92cc3a4ca..a312e67a7 100644
--- a/examples/issues/README.md
+++ b/examples/issues/README.md
@@ -25,13 +25,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/issues/versions.tf
+++ b/examples/issues/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md
index 0c506f33f..d1e70e542 100644
--- a/examples/manage-default-vpc/README.md
+++ b/examples/manage-default-vpc/README.md
@@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/manage-default-vpc/versions.tf
+++ b/examples/manage-default-vpc/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md
index 4e6ca7a0c..477a903d2 100644
--- a/examples/network-acls/README.md
+++ b/examples/network-acls/README.md
@@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/network-acls/versions.tf
+++ b/examples/network-acls/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/outpost/README.md b/examples/outpost/README.md
index 8c7173bb9..8105dff04 100644
--- a/examples/outpost/README.md
+++ b/examples/outpost/README.md
@@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/outpost/versions.tf
+++ b/examples/outpost/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md
index 5054d43f9..be90f2670 100644
--- a/examples/secondary-cidr-blocks/README.md
+++ b/examples/secondary-cidr-blocks/README.md
@@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/secondary-cidr-blocks/versions.tf
+++ b/examples/secondary-cidr-blocks/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/separate-route-tables/README.md b/examples/separate-route-tables/README.md
index 57ee751f9..cd7be22ed 100644
--- a/examples/separate-route-tables/README.md
+++ b/examples/separate-route-tables/README.md
@@ -1,6 +1,6 @@
# VPC with separate private route tables
-Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup).
+Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup).
There are public, private, database, ElastiCache, Redshift subnets, NAT Gateways created in each availability zone. **This example sets up separate private route for database, elasticache and redshift subnets.**.
@@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/separate-route-tables/versions.tf b/examples/separate-route-tables/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/separate-route-tables/versions.tf
+++ b/examples/separate-route-tables/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/simple/README.md b/examples/simple/README.md
index 0d5658b4a..fb62fba7c 100644
--- a/examples/simple/README.md
+++ b/examples/simple/README.md
@@ -26,13 +26,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/examples/simple/versions.tf
+++ b/examples/simple/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md
index d0cb120a8..e8b6f0d3b 100644
--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
| [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
| [random](#provider\_random) | >= 2.0 |
## Modules
diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf
index 140aa0cd6..9fee41bdf 100644
--- a/examples/vpc-flow-logs/main.tf
+++ b/examples/vpc-flow-logs/main.tf
@@ -78,6 +78,7 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" {
flow_log_max_aggregation_interval = 60
flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/"
flow_log_cloudwatch_log_group_name_suffix = "my-test"
+ flow_log_cloudwatch_log_group_class = "INFREQUENT_ACCESS"
vpc_flow_log_tags = local.tags
}
diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf
index 383652286..6af908428 100644
--- a/examples/vpc-flow-logs/versions.tf
+++ b/examples/vpc-flow-logs/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
random = {
diff --git a/main.tf b/main.tf
index 25fb194e4..ffb00b1ba 100644
--- a/main.tf
+++ b/main.tf
@@ -10,7 +10,6 @@ locals {
max_subnet_length = max(
local.len_private_subnets,
local.len_public_subnets,
- local.len_intra_subnets,
local.len_elasticache_subnets,
local.len_database_subnets,
local.len_redshift_subnets,
@@ -120,7 +119,8 @@ resource "aws_subnet" "public" {
},
var.tags,
var.public_subnet_tags,
- lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {})
+ lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {}),
+ length(var.public_subnet_tags_per_subnet) > 0 ? element(var.public_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -246,7 +246,8 @@ resource "aws_subnet" "private" {
},
var.tags,
var.private_subnet_tags,
- lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {})
+ lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {}),
+ length(var.private_subnet_tags_per_subnet) > 0 ? element(var.private_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -258,13 +259,17 @@ resource "aws_route_table" "private" {
tags = merge(
{
- "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
- "${var.name}-${var.private_subnet_suffix}-%s",
- element(var.azs, count.index),
+ "Name" = try(
+ var.private_route_table_names[count.index],
+ var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
+ "${var.name}-${var.private_subnet_suffix}-%s",
+ element(var.azs, count.index),
+ )
)
},
var.tags,
var.private_route_table_tags,
+ length(var.private_route_table_tags_per_subnet) > 0 ? element(var.private_route_table_tags_per_subnet, count.index) : {},
)
}
@@ -366,6 +371,7 @@ resource "aws_subnet" "database" {
},
var.tags,
var.database_subnet_tags,
+ length(var.database_subnet_tags_per_subnet) > 0 ? element(var.database_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -392,13 +398,17 @@ resource "aws_route_table" "database" {
tags = merge(
{
- "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format(
- "${var.name}-${var.database_subnet_suffix}-%s",
- element(var.azs, count.index),
+ "Name" = try(
+ var.database_route_table_names[count.index],
+ var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format(
+ "${var.name}-${var.database_subnet_suffix}-%s",
+ element(var.azs, count.index),
+ )
)
},
var.tags,
var.database_route_table_tags,
+ length(var.database_route_table_tags_per_subnet) > 0 ? element(var.database_route_table_tags_per_subnet, count.index) : {},
)
}
@@ -548,6 +558,7 @@ resource "aws_subnet" "redshift" {
},
var.tags,
var.redshift_subnet_tags,
+ length(var.redshift_subnet_tags_per_subnet) > 0 ? element(var.redshift_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -685,6 +696,7 @@ resource "aws_subnet" "elasticache" {
},
var.tags,
var.elasticache_subnet_tags,
+ length(var.elasticache_subnet_tags_per_subnet) > 0 ? element(var.elasticache_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -814,6 +826,7 @@ resource "aws_subnet" "intra" {
},
var.tags,
var.intra_subnet_tags,
+ length(var.intra_subnet_tags_per_subnet) > 0 ? element(var.intra_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -925,6 +938,7 @@ resource "aws_subnet" "outpost" {
},
var.tags,
var.outpost_subnet_tags,
+ length(var.outpost_subnet_tags_per_subnet) > 0 ? element(var.outpost_subnet_tags_per_subnet, count.index) : {},
)
}
@@ -1022,7 +1036,7 @@ resource "aws_egress_only_internet_gateway" "this" {
}
resource "aws_route" "private_ipv6_egress" {
- count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.len_private_subnets : 0
+ count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.nat_gateway_count : 0
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_ipv6_cidr_block = "::/0"
@@ -1052,6 +1066,8 @@ resource "aws_eip" "nat" {
},
var.tags,
var.nat_eip_tags,
+ lookup(var.nat_eip_tags_per_az, element(var.azs, count.index), {}),
+ length(var.nat_eip_tags_per_subnet) > 0 ? element(var.nat_eip_tags_per_subnet, count.index) : {},
)
depends_on = [aws_internet_gateway.this]
@@ -1078,6 +1094,8 @@ resource "aws_nat_gateway" "this" {
},
var.tags,
var.nat_gateway_tags,
+ lookup(var.nat_gateway_tags_per_az, element(var.azs, count.index), {}),
+ length(var.nat_gateway_tags_per_subnet) > 0 ? element(var.nat_gateway_tags_per_subnet, count.index) : {},
)
depends_on = [aws_internet_gateway.this]
@@ -1124,6 +1142,10 @@ resource "aws_customer_gateway" "this" {
var.tags,
var.customer_gateway_tags,
)
+
+ lifecycle {
+ create_before_destroy = true
+ }
}
################################################################################
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
index a59292ae8..6c0de6a46 100644
--- a/modules/vpc-endpoints/README.md
+++ b/modules/vpc-endpoints/README.md
@@ -56,13 +56,13 @@ module "endpoints" {
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
index 8c4b09c38..5526c3344 100644
--- a/modules/vpc-endpoints/main.tf
+++ b/modules/vpc-endpoints/main.tf
@@ -24,7 +24,7 @@ resource "aws_vpc_endpoint" "this" {
for_each = local.endpoints
vpc_id = var.vpc_id
- service_name = data.aws_vpc_endpoint_service.this[each.key].service_name
+ service_name = try(each.value.service_endpoint, data.aws_vpc_endpoint_service.this[each.key].service_name)
vpc_endpoint_type = try(each.value.service_type, "Interface")
auto_accept = try(each.value.auto_accept, null)
@@ -34,6 +34,15 @@ resource "aws_vpc_endpoint" "this" {
policy = try(each.value.policy, null)
private_dns_enabled = try(each.value.service_type, "Interface") == "Interface" ? try(each.value.private_dns_enabled, null) : null
+ dynamic "dns_options" {
+ for_each = try([each.value.dns_options], [])
+
+ content {
+ dns_record_ip_type = try(dns_options.value.dns_options.dns_record_ip_type, null)
+ private_dns_only_for_inbound_resolver_endpoint = try(dns_options.value.private_dns_only_for_inbound_resolver_endpoint, null)
+ }
+ }
+
tags = merge(var.tags, try(each.value.tags, {}))
timeouts {
diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/modules/vpc-endpoints/versions.tf
+++ b/modules/vpc-endpoints/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/outputs.tf b/outputs.tf
index d4e3e4079..5cf1ffc0c 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -484,6 +484,11 @@ output "natgw_ids" {
value = aws_nat_gateway.this[*].id
}
+output "natgw_interface_ids" {
+ description = "List of Network Interface IDs assigned to NAT Gateways"
+ value = aws_nat_gateway.this[*].network_interface_id
+}
+
################################################################################
# Egress Only Gateway
################################################################################
@@ -604,6 +609,11 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" {
value = local.flow_log_iam_role_arn
}
+output "vpc_flow_log_deliver_cross_account_role" {
+ description = "The ARN of the IAM role used when pushing logs cross account"
+ value = try(aws_flow_log.this[0].deliver_cross_account_role, null)
+}
+
################################################################################
# Static values (arguments)
################################################################################
diff --git a/variables.tf b/variables.tf
index 148ce3f19..7ddfb90c8 100644
--- a/variables.tf
+++ b/variables.tf
@@ -238,6 +238,12 @@ variable "public_subnet_tags" {
default = {}
}
+variable "public_subnet_tags_per_subnet" {
+ description = "Additional tags for the public subnets, if specified then must have a length equal to the number of public subnets"
+ type = list(map(string))
+ default = []
+}
+
variable "public_subnet_tags_per_az" {
description = "Additional tags for the public subnets where the primary key is the AZ"
type = map(map(string))
@@ -342,6 +348,7 @@ variable "private_subnet_ipv6_native" {
default = false
}
+
variable "private_subnet_private_dns_hostname_type_on_launch" {
description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`"
type = string
@@ -366,18 +373,36 @@ variable "private_subnet_tags" {
default = {}
}
+variable "private_subnet_tags_per_subnet" {
+ description = "Additional tags for the private subnets, if specified then must have a length equal to the number of private subnets"
+ type = list(map(string))
+ default = []
+}
+
variable "private_subnet_tags_per_az" {
description = "Additional tags for the private subnets where the primary key is the AZ"
type = map(map(string))
default = {}
}
+variable "private_route_table_names" {
+ description = "Explicit values to use in the Name tag on private route tables. If empty, Name tags are generated."
+ type = list(string)
+ default = []
+}
+
variable "private_route_table_tags" {
description = "Additional tags for the private route tables"
type = map(string)
default = {}
}
+variable "private_route_table_tags_per_subnet" {
+ description = "Additional tags for the private route tables, if specified then must have a length equal to the number of private subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Private Network ACLs
################################################################################
@@ -506,12 +531,24 @@ variable "create_database_nat_gateway_route" {
default = false
}
+variable "database_route_table_names" {
+ description = "Explicit values to use in the Name tag on database route tables. If empty, Name tags are generated."
+ type = list(string)
+ default = []
+}
+
variable "database_route_table_tags" {
description = "Additional tags for the database route tables"
type = map(string)
default = {}
}
+variable "database_route_table_tags_per_subnet" {
+ description = "Additional tags for the database route tables, if specified then must have a length equal to the number of database subnets"
+ type = list(map(string))
+ default = []
+}
+
variable "database_subnet_tags" {
description = "Additional tags for the database subnets"
type = map(string)
@@ -536,6 +573,12 @@ variable "database_subnet_group_tags" {
default = {}
}
+variable "database_subnet_tags_per_subnet" {
+ description = "Additional tags for the database subnets, if specified then must have a length equal to the number of database subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Database Network ACLs
################################################################################
@@ -688,6 +731,12 @@ variable "redshift_subnet_group_tags" {
default = {}
}
+variable "redshift_subnet_tags_per_subnet" {
+ description = "Additional tags for the redshift subnets, if specified then must have a length equal to the number of redshift subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Redshift Network ACLs
################################################################################
@@ -804,6 +853,12 @@ variable "elasticache_subnet_tags" {
default = {}
}
+variable "elasticache_subnet_tags_per_subnet" {
+ description = "Additional tags for the elasticache subnets, if specified then must have a length equal to the number of elasticache subnets"
+ type = list(map(string))
+ default = []
+}
+
variable "create_elasticache_subnet_route_table" {
description = "Controls if separate route table for elasticache should be created"
type = bool
@@ -956,6 +1011,12 @@ variable "intra_route_table_tags" {
default = {}
}
+variable "intra_subnet_tags_per_subnet" {
+ description = "Additional tags for the intra subnets, if specified then must have a length equal to the number of intra subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Intra Network ACLs
################################################################################
@@ -1096,6 +1157,12 @@ variable "outpost_subnet_tags" {
default = {}
}
+variable "outpost_subnet_tags_per_subnet" {
+ description = "Additional tags for the outpost subnets, if specified then must have a length equal to the number of outpost subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Outpost Network ACLs
################################################################################
@@ -1216,12 +1283,36 @@ variable "nat_gateway_tags" {
default = {}
}
+variable "nat_gateway_tags_per_az" {
+ description = "Additional tags for the NAT gateways where the primary key is the AZ"
+ type = map(map(string))
+ default = {}
+}
+
+variable "nat_gateway_tags_per_subnet" {
+ description = "Additional tags for the NAT gateways, if specified then must have a length equal to the number of private subnets"
+ type = list(map(string))
+ default = []
+}
+
variable "nat_eip_tags" {
description = "Additional tags for the NAT EIP"
type = map(string)
default = {}
}
+variable "nat_eip_tags_per_az" {
+ description = "Additional tags for the NAT EIPs where the primary key is the AZ"
+ type = map(map(string))
+ default = {}
+}
+
+variable "nat_eip_tags_per_subnet" {
+ description = "Additional tags for the NAT EIPs, if specified then must have a length equal to the number of private subnets"
+ type = list(map(string))
+ default = []
+}
+
################################################################################
# Customer Gateways
################################################################################
@@ -1485,7 +1576,7 @@ variable "flow_log_traffic_type" {
}
variable "flow_log_destination_type" {
- description = "Type of flow log destination. Can be s3 or cloud-watch-logs"
+ description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs"
type = string
default = "cloud-watch-logs"
}
@@ -1502,6 +1593,12 @@ variable "flow_log_destination_arn" {
default = ""
}
+variable "flow_log_deliver_cross_account_role" {
+ description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts."
+ type = string
+ default = null
+}
+
variable "flow_log_file_format" {
description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
type = string
@@ -1572,6 +1669,18 @@ variable "flow_log_cloudwatch_log_group_kms_key_id" {
default = null
}
+variable "flow_log_cloudwatch_log_group_skip_destroy" {
+ description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state"
+ type = bool
+ default = false
+}
+
+variable "flow_log_cloudwatch_log_group_class" {
+ description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS"
+ type = string
+ default = null
+}
+
variable "putin_khuylo" {
description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!"
type = bool
diff --git a/versions.tf b/versions.tf
index ddfcb0e05..22111ba53 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 5.30"
}
}
}
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index ac9f25758..e21cd11e6 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -17,13 +17,14 @@ locals {
resource "aws_flow_log" "this" {
count = local.enable_flow_log ? 1 : 0
- log_destination_type = var.flow_log_destination_type
- log_destination = local.flow_log_destination_arn
- log_format = var.flow_log_log_format
- iam_role_arn = local.flow_log_iam_role_arn
- traffic_type = var.flow_log_traffic_type
- vpc_id = local.vpc_id
- max_aggregation_interval = var.flow_log_max_aggregation_interval
+ log_destination_type = var.flow_log_destination_type
+ log_destination = local.flow_log_destination_arn
+ log_format = var.flow_log_log_format
+ iam_role_arn = local.flow_log_iam_role_arn
+ deliver_cross_account_role = var.flow_log_deliver_cross_account_role
+ traffic_type = var.flow_log_traffic_type
+ vpc_id = local.vpc_id
+ max_aggregation_interval = var.flow_log_max_aggregation_interval
dynamic "destination_options" {
for_each = var.flow_log_destination_type == "s3" ? [true] : []
@@ -48,6 +49,8 @@ resource "aws_cloudwatch_log_group" "flow_log" {
name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}"
retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id
+ skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy
+ log_group_class = var.flow_log_cloudwatch_log_group_class
tags = merge(var.tags, var.vpc_flow_log_tags)
}