Merge pull request #60 from DNXLabs/feature/per-tier-subnet-sizing

thiago4go · web-flow · commit 6a6d5b119a80 · 2025-11-07T15:51:15.000+11:00
feat: add per-tier subnet sizing support
diff --git a/README.md b/README.md
@@ -43,6 +43,24 @@ module "network" {
 }
 ```
 
+### Per-Tier Subnet Sizing (Optional)
+
+For mixed subnet sizes, override `newbits` per tier:
+
+```hcl
+module "network" {
+  source   = "git::https://github.com/DNXLabs/terraform-aws-network.git"
+  
+  vpc_cidr = "10.39.32.0/21"
+  newbits  = 5  # Default /26
+  
+  # Override per tier
+  public_newbits  = 5  # /26 (62 IPs)
+  private_newbits = 3  # /24 (254 IPs)
+  secure_newbits  = 5  # /26 (62 IPs)
+}
+```
+
 <!--- BEGIN_TF_DOCS --->
 
 ## Requirements
@@ -75,6 +93,7 @@ module "network" {
 | firewall\_custom\_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | `list(string)` | `[]` | no |
 | firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | <pre>[<br>  ".amazonaws.com",<br>  ".github.com"<br>]</pre> | no |
 | firewall\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `14` | no |
+| firewall\_newbits | Number of bits to add to the vpc cidr for firewall subnets (overrides 'newbits' if set) | `number` | `null` | no |
 | kms\_key\_arn | The ARN of the KMS Key to use when encrypting log data. | `string` | `""` | no |
 | kubernetes\_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | `list(string)` | `[]` | no |
 | kubernetes\_clusters\_secure | List of kubernetes cluster names to creates tags in secure subnets of this VPC | `list(string)` | `[]` | no |
@@ -86,23 +105,27 @@ module "network" {
 | name\_suffix | Adds a name suffix to all resources created | `string` | `""` | no |
 | nat | Deploy NAT instance(s) | `bool` | `true` | no |
 | network\_firewall | Enable or disable VPC Network Firewall | `bool` | `false` | no |
-| newbits | Number of bits to add to the vpc cidr when building subnets | `number` | `5` | no |
+| newbits | Number of bits to add to the vpc cidr when building subnets (applies to all tiers unless tier-specific values are set) | `number` | `5` | no |
 | private\_nacl\_allow\_cidrs | CIDRs to allow traffic from private subnet | `list(string)` | `[]` | no |
 | private\_netnum\_offset | Start with this subnet for private ones, plus number of AZs | `number` | `5` | no |
+| private\_newbits | Number of bits to add to the vpc cidr for private subnets (overrides 'newbits' if set) | `number` | `null` | no |
 | public\_nacl\_allow\_cidrs | CIDRs to allow traffic from public subnet | `list(string)` | `[]` | no |
 | public\_nacl\_icmp | Allows ICMP traffic to and from the public subnet | `bool` | `true` | no |
 | public\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "80",<br>  "443",<br>  "22",<br>  "1194"<br>]</pre> | no |
 | public\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | `[]` | no |
 | public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no |
+| public\_newbits | Number of bits to add to the vpc cidr for public subnets (overrides 'newbits' if set) | `number` | `null` | no |
 | secure\_nacl\_allow\_cidrs | CIDRs to allow traffic from secure subnet | `list(string)` | `[]` | no |
 | secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no |
 | secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no |
+| secure\_newbits | Number of bits to add to the vpc cidr for secure subnets (overrides 'newbits' if set) | `number` | `null` | no |
 | tags | Extra tags to attach to resources | `map(string)` | `{}` | no |
 | transit\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "1194"<br>]</pre> | no |
 | transit\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "1194"<br>]</pre> | no |
 | transit\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `15` | no |
+| transit\_newbits | Number of bits to add to the vpc cidr for transit subnets (overrides 'newbits' if set) | `number` | `null` | no |
 | transit\_subnet | Create a transit subnet for VPC peering (only central account) | `bool` | `false` | no |
 | vpc\_cidr | Network CIDR for the VPC | `string` | n/a | yes |
 | vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no |
diff --git a/_variables.tf b/_variables.tf
@@ -39,7 +39,37 @@ variable "multi_nat" {
 variable "newbits" {
   type        = number
   default     = 5
-  description = "Number of bits to add to the vpc cidr when building subnets"
+  description = "Number of bits to add to the vpc cidr when building subnets (applies to all tiers unless tier-specific values are set)"
+}
+
+variable "public_newbits" {
+  type        = number
+  default     = null
+  description = "Number of bits to add to the vpc cidr for public subnets (overrides 'newbits' if set)"
+}
+
+variable "private_newbits" {
+  type        = number
+  default     = null
+  description = "Number of bits to add to the vpc cidr for private subnets (overrides 'newbits' if set)"
+}
+
+variable "secure_newbits" {
+  type        = number
+  default     = null
+  description = "Number of bits to add to the vpc cidr for secure subnets (overrides 'newbits' if set)"
+}
+
+variable "transit_newbits" {
+  type        = number
+  default     = null
+  description = "Number of bits to add to the vpc cidr for transit subnets (overrides 'newbits' if set)"
+}
+
+variable "firewall_newbits" {
+  type        = number
+  default     = null
+  description = "Number of bits to add to the vpc cidr for firewall subnets (overrides 'newbits' if set)"
 }
 
 variable "vpc_cidr_summ" {
@@ -301,6 +331,13 @@ variable "db_subnet_group_secure_name_compat" {
 }
 
 locals {
+  # Compute effective newbits per tier (tier-specific overrides global)
+  public_newbits_effective   = coalesce(var.public_newbits, var.newbits)
+  private_newbits_effective  = coalesce(var.private_newbits, var.newbits)
+  secure_newbits_effective   = coalesce(var.secure_newbits, var.newbits)
+  transit_newbits_effective  = coalesce(var.transit_newbits, var.newbits)
+  firewall_newbits_effective = coalesce(var.firewall_newbits, var.newbits)
+
   kubernetes_clusters = zipmap(
     formatlist("kubernetes.io/cluster/%s", var.kubernetes_clusters),
     [for cluster in var.kubernetes_clusters : var.kubernetes_clusters_type]
diff --git a/subnet-firewall.tf b/subnet-firewall.tf
@@ -4,7 +4,7 @@ resource "aws_subnet" "firewall" {
 
   cidr_block = cidrsubnet(
     aws_vpc.default.cidr_block,
-    var.newbits,
+    local.firewall_newbits_effective,
     count.index + var.firewall_netnum_offset,
   )
 
diff --git a/subnet-private.tf b/subnet-private.tf
@@ -4,7 +4,7 @@ resource "aws_subnet" "private" {
 
   cidr_block = cidrsubnet(
     aws_vpc.default.cidr_block,
-    var.newbits,
+    local.private_newbits_effective,
     count.index + var.private_netnum_offset,
   )
 
diff --git a/subnet-public.tf b/subnet-public.tf
@@ -3,7 +3,7 @@ resource "aws_subnet" "public" {
   vpc_id = aws_vpc.default.id
   cidr_block = cidrsubnet(
     aws_vpc.default.cidr_block,
-    var.newbits,
+    local.public_newbits_effective,
     count.index + var.public_netnum_offset,
   )
   availability_zone       = data.aws_availability_zones.available.names[count.index]
diff --git a/subnet-secure.tf b/subnet-secure.tf
@@ -3,7 +3,7 @@ resource "aws_subnet" "secure" {
   vpc_id = aws_vpc.default.id
   cidr_block = cidrsubnet(
     aws_vpc.default.cidr_block,
-    var.newbits,
+    local.secure_newbits_effective,
     count.index + var.secure_netnum_offset,
   )
   availability_zone       = data.aws_availability_zones.available.names[count.index]
diff --git a/subnet-transit.tf b/subnet-transit.tf
@@ -3,7 +3,7 @@ resource "aws_subnet" "transit" {
   vpc_id = aws_vpc.default.id
   cidr_block = cidrsubnet(
     aws_vpc.default.cidr_block,
-    var.newbits,
+    local.transit_newbits_effective,
     count.index + var.transit_netnum_offset,
   )
   availability_zone       = data.aws_availability_zones.available.names[count.index]

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ resource "aws_subnet" "firewall" {`
`4`	`4`
`5`	`5`	`cidr_block = cidrsubnet(`
`6`	`6`	`aws_vpc.default.cidr_block,`
`7`		`- var.newbits,`
	`7`	`+ local.firewall_newbits_effective,`
`8`	`8`	`count.index + var.firewall_netnum_offset,`
`9`	`9`	`)`
`10`	`10`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ resource "aws_subnet" "public" {`
`3`	`3`	`vpc_id = aws_vpc.default.id`
`4`	`4`	`cidr_block = cidrsubnet(`
`5`	`5`	`aws_vpc.default.cidr_block,`
`6`		`- var.newbits,`
	`6`	`+ local.public_newbits_effective,`
`7`	`7`	`count.index + var.public_netnum_offset,`
`8`	`8`	`)`
`9`	`9`	`availability_zone = data.aws_availability_zones.available.names[count.index]`