terraform-aws-vpc-demo

A demo for deploying Amazon VPC structure using Terraform best pracitces.

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

This module creates:

• VPC and subnets with public and private subnets
• Internet Gateway: To connect the VPC to the internet
• NAT Gateway: [Optional] To allow instances in private subnets to connect to the internet
• Elastic IP: [Optional] To assign to NAT Gateway
• Route Tables: To route traffic between the VPC and the internet
• VPC Endpoints for S3: [Optional] To connect to S3 within private subnets without going through the internet

Architecture

Implementation decisions

VPC and Subnets

This module creates a VPC with one public subnet and multiple private subnet layers associated to multiple tiers. For example, in a typical web application, you might have a public subnet for the load balancer and private subnets for the application servers, database servers, and cache servers, which has its own service tier.

The public subnets are associated with a single shared route table that routes traffic to the internet gateway.

For each service specified by the user, private subnets are deployed to different availability zones. Each private subnet is associated with a dedicated route table that routes traffic to the NAT Gateway if the service is public facing and to the S3 VPC endpoint if the service need to route traffic to S3 privately.

Multi-AZ NAT Gateway

You can optionally enable a multi-AZ NAT Gateway to provide high availability for instances in private subnets. This is useful for scenarios where you want to ensure that instances in private subnets can connect to the internet even if one of the NAT Gateways fails.

If you disable the multi-AZ NAT Gateway, the module will deploy a single NAT Gateway in the first availability zone in of the public subnet.

S3 VPC Endpoint

You can optionally enable an S3 VPC endpoint to allow instances in private subnets to connect to S3 without going through the internet. This is useful for scenarios where you want to restrict access to S3 to only instances within the VPC.

How to use this module

module "vpc" {
  source = "../terraform-components/aws-vpc"

  vpc_name                  = "testvpc"
  vpc_cidr_block            = "10.1.0.0/16"
  public_subnet_cidr_blocks = ["10.1.0.0/20", "10.1.16.0/20"]
  private_subnet_info = [
    {
      tier_name               = "application"
      cidr_blocks             = ["10.1.128.0/20", "10.1.144.0/20"]
      availability_zones      = ["us-east-1a", "us-east-1b"]
      public_facing           = true
      connect_s3_vpc_endpoint = true
    },
    {
      tier_name               = "database"
      cidr_blocks             = ["10.1.160.0/20", "10.1.176.0/20"]
      availability_zones      = ["us-east-1a", "us-east-1b"]
      public_facing           = false
      connect_s3_vpc_endpoint = false
    }
  ]

  enable_s3_endpoint = true

  enable_nat_gateway         = true
  enable_multiaz_nat_gateway = true

  tags = local.tags
}

Requirements

Name	Version
terraform	>= 0.13
aws	= 5.45.0

Providers

Name	Version
aws	= 5.45.0

Modules

No modules.

Resources

Name	Type
aws_eip.nat	resource
aws_internet_gateway.main	resource
aws_nat_gateway.main	resource
aws_route.nat_gateway	resource
aws_route_table.private	resource
aws_route_table.public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_subnet.private	resource
aws_subnet.public	resource
aws_vpc.main	resource
aws_vpc_endpoint.s3	resource
aws_vpc_endpoint_route_table_association.s3	resource
aws_availability_zones.available	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
enable_multiaz_nat_gateway	Enable Multi-AZ NAT Gateway	bool	false	no
enable_nat_gateway	Enable NAT Gateway	bool	false	no
enable_s3_endpoint	Enable S3 VPC endpoint	bool	true	no
public_subnet_cidr_blocks	The CIDR blocks for the public subnets	list(string)	[ "10.0.0.0/20", "10.0.16.0/20" ]	no
tags	Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys.	map(any)	{}	no
tier_info	The info blocks for the private subnet structure for the tiers to deploy. Each block respresents a tier should have tier_name, cidr_blocks, availability_zones, public_facing, connect_s3_vpc_endpoint.	list(object({ tier_name = string cidr_blocks = list(string) availability_zones = list(string) public_facing = bool connect_s3_vpc_endpoint = bool }))	[ { "availability_zones": [ "us-east-1a", "us-east-1b" ], "cidr_blocks": [ "10.0.128.0/20", "10.0.144.0/20" ], "connect_s3_vpc_endpoint": true, "public_facing": true, "tier_name": "application" }, { "availability_zones": [ "us-east-1a", "us-east-1b" ], "cidr_blocks": [ "10.0.160.0/20", "10.0.172.0/20" ], "connect_s3_vpc_endpoint": false, "public_facing": false, "tier_name": "database" } ]	no
vpc_cidr_block	The CIDR block for the VPC	string	"10.0.0.0/16"	no
vpc_name	The name of the vpc	string	n/a	yes

Outputs

Name	Description
private_subnets_ids	The IDs of the deployed private subnets, identified by the tier name.
public_subnets_ids	The IDs of the deployed public subnets
vpc_id	The ID of the deployed VPC

Terraform Blueprints/Components

We use Terraform to deploy the solution architecture. The Terraform blueprints are located in the live-sandbox folder. The Terraform blueprints are Terraform use-case specific files that references Terraform components. For our use case, we are defining Terraform blueprints to deploy a AWS VPC.

Terraform components are located in the terraform-components folder. The Terraform components are reusable Terraform code that can be used to deploy a specific AWS resource. Terraform components not only deploys its specific AWS resource, but deploys them considering best practices regarding reusability, security, and scalability.

For more info on Terraform, please refer to the Terraform documentation.

Tutorial

Please follow the below tutorials to deploy the solution architecture in the previous section:

1. Set up Terraform with AWS Cloud account
2. Deploy VPC module using Terraform

1. Set up Terraform with AWS Cloud account

To set up Terraform with AWS Cloud account,

Step 1. Create an AWS account. You need to have AWS access key and secret key to use Terraform to deploy resources on AWS of the following format:

export AWS_ACCESS_KEY_ID="xxx"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"

Step 2. Install Terraform on your local machine. Please follow the official documentation to install Terraform on your local machine.

Step 3. Configure Terraform to use your AWS access key and secret key by copy-pasting your AWS access and secret key in a Terminal.

Step 4. Change directory to live-sandbox that contains Terraform blueprints. Setup up and validate the Terraform blueprints by running the below commands:

cd live-sandbox
terraform init
terraform validate

2. Deploy VPC module using Terraform

Step 1. Change directory to live-sandbox that contains Terraform blueprints to deploy the solution architecture by running the below commands:

cd live-sandbox
terraform apply

Step 2. Once you are happy with the resources that Terraform is going to deploy in your AWS account, confirm by typing yes in the Terminal.