Terraform module designed to create networking resources on the AWS Cloud, supporting both IPv4 and dual stack IP modes for workload deployment.
module "key_pair_vpn" {
source = "saturnops/keypair/aws"
environment = "production"
key_name = format("%s-%s-vpn", "production", "skaf")
ssm_parameter_path = format("%s-%s-vpn", "production", "skaf")
}
module "vpc" {
source = "saturnops/vpc/aws"
name = "skaf"
vpc_cidr = "10.0.0.0/16"
environment = "production"
ipv6_enabled = true
create_ipam_pool = false
ipam_enabled = false
flow_log_enabled = true
vpn_key_pair_name = module.key_pair_vpn.key_pair_name
availability_zones = ["us-east-1a", "us-east-1b"]
vpn_server_enabled = false
intra_subnet_enabled = true
auto_assign_public_ip = true
public_subnet_enabled = true
private_subnet_enabled = true
one_nat_gateway_per_az = true
database_subnet_enabled = true
vpn_server_instance_type = "t3a.small"
vpc_s3_endpoint_enabled = true
vpc_ecr_endpoint_enabled = true
flow_log_max_aggregation_interval = 60
flow_log_cloudwatch_log_group_skip_destroy = true
flow_log_cloudwatch_log_group_retention_in_days = 90
flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn" #Enter your kms key arn
}
Refer this for more examples.
To avoid interruptions during the destruction process, ensure that any resources created outside of Terraform, which are connected to Terraform-managed resources, are deleted before destroying the module.
The private key generated by Keypair module will be stored in AWS Systems Manager Parameter Store. For more details refer this
To encrypt the VPC flow log CloudWatch log group, please use the following KMS key policy. Make sure to replace the account ID and region with your specific details.
{
"Version": "2012-10-17",
"Id": "allow-cloudwatch-logs-encryption",
"Statement": [
{
"Sid": "AllowRootFullPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "AllowCloudWatchLogsEncryption",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-2.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
]
}
Users need to declare vpc_cidr
and subnets are calculated with the help of in-built functions.
This module supports three scenarios to create Network resource on AWS. Each will be explained in brief in the corresponding sections.
-
simple-vpc (default behavior): To create a VPC with public subnets and IGW.
vpc_cidr = ""
public_subnet_enabled = true
auto_assign_public_ip = true
-
vpc-with-private-sub: To create a VPC with public subnets, private subnets, IGW gateway and NAT gateway.
vpc_cidr = ""
public_subnet_enabled = true
private_subnet_enabled = true
auto_assign_public_ip = true
-
complete-vpc-with-vpn: To create a VPC with public, private, database and intra subnets along with an IGW and NAT gateway. Jump server/Bastion Host is also configured.
vpc_cidr = ""
public_subnet_enabled = true
private_subnet_enabled = true
database_subnet_enabled = true
intra_subnet_enabled = true
auto_assign_public_ip = true
one_nat_gateway_per_az = true
vpn_server_enabled = true
vpn_server_instance_type = "t3a.small"
vpn_key_pair_name = ""
availability_zones = 2
flow_log_enabled = true
flow_log_max_aggregation_interval = 60
flow_log_cloudwatch_log_group_retention_in_days = 90
flow_log_cloudwatch_log_group_kms_key_arn = "arn:aws:kms:us-east-2:222222222222:key/kms_key_arn"
-
vpc-peering: VPC peering support is available using submodule
vpc_peering
. Refer Peering Docs for more informationaccepter_name = ""
accepter_vpc_id = ""
accepter_vpc_region = ""
requester_name = ""
requester_vpc_id = ""
requester_vpc_region = ""
auto_assign_public_ip = true
one_nat_gateway_per_az = true
-
vpc-with-ipv6: To create VPC with IPv6 support, you only need to enable the parameter
ipv6_enabled
. Rest all the configurations will be taken care by module. Refer for example vpc-with-ipv6 for more information.vpc_cidr = ""
public_subnet_enabled = true
private_subnet_enabled = true
database_subnet_enabled = true
intra_subnet_enabled = true
auto_assign_public_ip = true
ipv6_enabled = true
public_subnet_assign_ipv6_address_on_creation = true
private_subnet_assign_ipv6_address_on_creation = true
database_subnet_assign_ipv6_address_on_creation = true
intra_subnet_assign_ipv6_address_on_creation = true
The required IAM permissions to create resources from this module can be found here
We are using Pritunl as VPN. It is using Ubuntu 22.04 image as underlying OS. To configure Pritunl VPN:
1. Access the Pritunl UI over HTTPS using the public IP of EC2 instance in browser
2. Retrieve the initial key, user and password for setting up Pritunl from AWS Secrets Manager and log in to Pritunl.
3. Create a DNS record mapping to the EC2 instance's public IP
4. After login, in the Initial setup window, add the record created in the 'Lets Encrypt Domain' field.
5. Pritunl will automatically configure a signed SSL certificate from Lets Encrypt.
6. Add organization and user to pritunl.
7. Add server and set port as 10150 which is already allowed from security group while creating instance for VPN server.
8. Attach organization to the server and Start the server.
9. Copy or download user profile link or file.
10. Import the profile in Pritunl client.
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 4.23 |
Name | Version |
---|---|
aws | >= 4.23 |
Name | Source | Version |
---|---|---|
vpc | terraform-aws-modules/vpc/aws | 5.2.0 |
vpn_server | ./modules/vpn | n/a |
Name | Type |
---|---|
aws_security_group.vpc_endpoints | resource |
aws_vpc_endpoint.private-ecr-api | resource |
aws_vpc_endpoint.private-ecr-dkr | resource |
aws_vpc_endpoint.private-s3 | resource |
aws_vpc_ipam.ipam | resource |
aws_vpc_ipam_pool.ipam_pool | resource |
aws_vpc_ipam_pool_cidr.ipam_pool_cidr | resource |
aws_availability_zones.available | data source |
aws_ec2_instance_type.arch | data source |
aws_route_tables.aws_private_routes | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
auto_assign_public_ip | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | bool |
false |
no |
availability_zones | Number of Availability Zone to be used by VPC Subnets | list(any) |
[] |
no |
create_ipam_pool | Whether create new IPAM pool | bool |
true |
no |
database_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
database_subnet_cidrs | Database Tier subnet CIDRs to be created | list(any) |
[] |
no |
database_subnet_enabled | Set true to enable database subnets | bool |
false |
no |
default_network_acl_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) |
[ |
no |
enable_database_subnet_group | Whether create database subnet groups | bool |
false |
no |
environment | Specify the environment indentifier for the VPC | string |
"" |
no |
existing_ipam_managed_cidr | The existing IPAM pool CIDR | string |
"" |
no |
flow_log_cloudwatch_log_group_kms_key_arn | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | string |
null |
no |
flow_log_cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | number |
null |
no |
flow_log_cloudwatch_log_group_skip_destroy | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | bool |
false |
no |
flow_log_enabled | Whether or not to enable VPC Flow Logs | bool |
false |
no |
flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. |
number |
60 |
no |
intra_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
intra_subnet_cidrs | A list of intra subnets CIDR to be created | list(any) |
[] |
no |
intra_subnet_enabled | Set true to enable intra subnets | bool |
false |
no |
ipam_enabled | Whether enable IPAM managed VPC or not | bool |
false |
no |
ipam_pool_id | The existing IPAM pool id if any | string |
null |
no |
ipv4_netmask_length | The netmask length for IPAM managed VPC | number |
16 |
no |
ipv6_enabled | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | bool |
false |
no |
ipv6_only | Enable it for deploying native IPv6 network | bool |
false |
no |
name | Specify the name of the VPC | string |
"" |
no |
one_nat_gateway_per_az | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | bool |
false |
no |
private_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
private_subnet_cidrs | A list of private subnets CIDR to be created inside the VPC | list(any) |
[] |
no |
private_subnet_enabled | Set true to enable private subnets | bool |
false |
no |
public_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
public_subnet_cidrs | A list of public subnets CIDR to be created inside the VPC | list(any) |
[] |
no |
public_subnet_enabled | Set true to enable public subnets | bool |
false |
no |
region | The AWS region name | string |
null |
no |
secondary_cidr_blocks | List of the secondary CIDR blocks which can be at most 5 | list(string) |
[] |
no |
secondry_cidr_enabled | Whether enable secondary CIDR with VPC | bool |
false |
no |
vpc_cidr | The CIDR block of the VPC | string |
"10.0.0.0/16" |
no |
vpc_ecr_endpoint_enabled | Set to true if you want to enable vpc ecr endpoints | bool |
false |
no |
vpc_s3_endpoint_enabled | Set to true if you want to enable vpc S3 endpoints | bool |
false |
no |
vpn_key_pair_name | Specify the name of AWS Keypair to be used for VPN Server | string |
"" |
no |
vpn_server_enabled | Set to true if you want to deploy VPN Gateway resource and attach it to the VPC | bool |
false |
no |
vpn_server_instance_type | EC2 instance Type for VPN Server, Only amd64 based instance type are supported eg. t2.medium, t3.micro, c5a.large etc. | string |
"t3a.small" |
no |
Name | Description |
---|---|
database_subnets | List of IDs of database subnets |
intra_subnets | List of IDs of Intra subnets |
ipv6_vpc_cidr_block | The IPv6 CIDR block |
private_subnets | List of IDs of private subnets |
public_subnets | List of IDs of public subnets |
vpc_cidr_block | IPV4 CIDR Block for this VPC |
vpc_id | The ID of the VPC |
vpc_ipv6_association_id | The association ID for the IPv6 CIDR block |
vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC |
vpn_host_public_ip | IP Address of VPN Server |
vpn_security_group | Security Group ID of VPN Server |
- Please give our GitHub repository a ⭐️ to show your support and increase its visibility.