Skip to content

cn-terraform/terraform-aws-networking

BranchesTags

Repository files navigation

Networking Terraform Module for AWS

This Terraform module creates the base networking infrastructure on AWS.

Usage

Check valid versions on:

Install pre commit hooks.

Pleas run this command right after cloning the repository.

pre-commit install

For that you may need to install the following tools:

In order to run all checks at any point run the following command:

pre-commit run --all-files

Requirements

Name Version
terraform >= 1.5.7
aws ~>6

Providers

Name Version
aws 6.32.1

Modules

No modules.

Resources

Name Type
aws_eip.nat resource
aws_flow_log.private_subnet_flow_log resource
aws_flow_log.public_subnet_flow_log resource
aws_flow_log.vpc_flow_log resource
aws_internet_gateway.internet_gw resource
aws_nat_gateway.regional resource
aws_nat_gateway.zonal resource
aws_route.private_internet_route resource
aws_route.public_internet resource
aws_route_table.private resource
aws_route_table.public resource
aws_route_table_association.private resource
aws_route_table_association.public resource
aws_subnet.private resource
aws_subnet.public resource
aws_vpc.vpc resource

Inputs

Name Description Type Default Required
additional_tags (Optional) A map of tags to assign to all the resources. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
flow_log_additional_tags (Optional) Additional tags to be added to the flow log resources. map(string) {} no
flow_log_deliver_cross_account_role (Optional) ARN of the IAM role in the destination account used for cross-account delivery of flow logs. This is required if log_destination_type is cloud-watch-logs or s3 and the destination is in a different account. Corresponds to DeliverCrossAccountRole in the AWS API. string null no
flow_log_destination_options (Optional) Describes the destination options for a flow log. 
object({
    file_format                = optional(string, "plain-text") # File format for the flow log. Default value: plain-text. Valid values: plain-text, parquet.
    hive_compatible_partitions = optional(bool, false)          # Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value: false.
    per_hour_partition         = optional(bool, false)          # Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value: false.
  })
 
{
  "file_format": "plain-text",
  "hive_compatible_partitions": false,
  "per_hour_partition": false
}
 no
flow_log_iam_role_arn (Optional) ARN of the IAM role used to post flow logs. Corresponds to DeliverLogsPermissionArn in the AWS API. string null no
flow_log_log_destination (Optional) ARN of the logging destination. string null no
flow_log_log_destination_type (Optional) Logging destination type. Valid values: cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs. string "cloud-watch-logs" no
flow_log_log_format (Optional) The fields to include in the flow log record. Accepted format example: "${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport}". string null no
flow_log_max_aggregation_interval (Optional) The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes). Default: 600. number 600 no
flow_log_traffic_type (Optional) The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL. Default: ALL. string "ALL" no
name_prefix (Required) The prefix to use for naming resources created in this module. string n/a yes
nat_gateway_additional_tags (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
nat_gateway_availability_mode (Optional) Specifies whether to create a zonal (single-AZ) or regional (multi-AZ) NAT gateway. Valid values are zonal and regional. Defaults to zonal. string "zonal" no
nat_gateway_availability_zones List of availability zones where a NAT gateway will be operating. If configured as zonal, one NAT GW will be created on public subnets deployed in the AZs listed here. If set up as regional, this is used to decide on how many AZs it will be expanding. If null, the AZs will match those where a public subnets are created. If [], no NAT Gw will be created set(string) null no
nat_gateway_connectivity_type (Optional) Connectivity type for the NAT Gateway. Valid values are private and public. When availability_mode is set to regional, this must be set to public. Defaults to public. string "public" no
private_subnets (Optional) Map of objects containing the definition for each private subnet 
map(object({
    availability_zone               = string                # Availability Zone for the subnet.
    assign_ipv6_address_on_creation = optional(bool, false) # (Optional) Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is false
    cidr_block                      = optional(string)      # The IPv4 CIDR block for the subnet.
    # customer_owned_ipv4_pool        = optional(string)      # The customer owned IPv4 address pool. Typically used with the map_customer_owned_ip_on_launch argument. The outpost_arn argument must be specified when configured.
    enable_flow_log     = optional(bool, false) # (Optional) Whether to create a flow log for the subnet. Default is false. If enabled, some of the variables starting with flow_log need to be configured.
    ipv6_cidr_block     = optional(string)      # The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length. If the existing IPv6 subnet was created with assign_ipv6_address_on_creation = true, changing this value will force resource recreation.
    ipv6_native         = optional(bool, false) # Indicates whether to create an IPv6-only subnet. Default: false.
    ipv4_ipam_pool_id   = optional(string)      # ID of an IPv4 VPC Resource Planning IPAM Pool. The CIDR of this pool is used to allocate the CIDR for the subnet.
    ipv4_netmask_length = optional(number)      # Netmask. Requires specifying a ipv4_ipam_pool_id.
    ipv6_ipam_pool_id   = optional(string)      # ID of an IPv6 VPC Resource Planning IPAM Pool. The CIDR of this pool is used to allocate the CIDR for the subnet.
    ipv6_netmask_length = optional(number)      # Netmask. Requires specifying a ipv6_ipam_pool_id. Valid values are from 44 to 64 in increments of 4.
    # map_customer_owned_ip_on_launch = optional(bool, false) # Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The customer_owned_ipv4_pool and outpost_arn arguments must be specified when set to true. Default is false.
    outpost_arn = optional(string) # The Amazon Resource Name (ARN) of the Outpost.
  }))
 {} no
private_subnets_additional_tags (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
private_subnets_enable_dns64 (Optional) Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: false. bool false no
private_subnets_enable_resource_name_dns_a_record_on_launch (Optional) Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: false. bool false no
private_subnets_enable_resource_name_dns_aaaa_record_on_launch (Optional) Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: false. bool false no
private_subnets_private_dns_hostname_type_on_launch (Optional) The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-name. string "ip-name" no
public_subnets (Optional) Map of objects containing the definition for each public subnet 
map(object({
    availability_zone               = string                # Availability Zone for the subnet.
    assign_ipv6_address_on_creation = optional(bool, false) # (Optional) Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is false
    cidr_block                      = optional(string)      # The IPv4 CIDR block for the subnet.
    # customer_owned_ipv4_pool        = optional(string)      # The customer owned IPv4 address pool. Typically used with the map_customer_owned_ip_on_launch argument. The outpost_arn argument must be specified when configured.
    enable_flow_log     = optional(bool, false) # (Optional) Whether to create a flow log for the subnet. Default is false. If enabled, some of the variables starting with flow_log need to be configured.
    ipv6_cidr_block     = optional(string)      # The IPv6 network range for the subnet, in CIDR notation. The subnet size must use a /64 prefix length. If the existing IPv6 subnet was created with assign_ipv6_address_on_creation = true, changing this value will force resource recreation.
    ipv6_native         = optional(bool, false) # Indicates whether to create an IPv6-only subnet. Default: false.
    ipv4_ipam_pool_id   = optional(string)      # ID of an IPv4 VPC Resource Planning IPAM Pool. The CIDR of this pool is used to allocate the CIDR for the subnet.
    ipv4_netmask_length = optional(number)      # Netmask. Requires specifying a ipv4_ipam_pool_id.
    ipv6_ipam_pool_id   = optional(string)      # ID of an IPv6 VPC Resource Planning IPAM Pool. The CIDR of this pool is used to allocate the CIDR for the subnet.
    ipv6_netmask_length = optional(number)      # Netmask. Requires specifying a ipv6_ipam_pool_id. Valid values are from 44 to 64 in increments of 4.
    # map_customer_owned_ip_on_launch = optional(bool, false) # Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The customer_owned_ipv4_pool and outpost_arn arguments must be specified when set to true. Default is false.
    outpost_arn = optional(string) # The Amazon Resource Name (ARN) of the Outpost.
  }))
 {} no
public_subnets_additional_tags (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
public_subnets_enable_dns64 (Optional) Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: false. bool false no
public_subnets_enable_resource_name_dns_a_record_on_launch (Optional) Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: false. bool false no
public_subnets_enable_resource_name_dns_aaaa_record_on_launch (Optional) Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: false. bool false no
public_subnets_map_public_ip_on_launch (Optional) Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is false. bool false no
public_subnets_private_dns_hostname_type_on_launch (Optional) The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-name. string "ip-name" no
vpc_additional_tags (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
vpc_assign_generated_ipv6_cidr_block (Optional) Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Default is false. Conflicts with ipv6_ipam_pool_id bool false no
vpc_cidr_block (Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length. string null no
vpc_create_internet_gateway (Optional) Whether to create an Internet Gateway and attach it to the VPC. Default is true. bool true no
vpc_enable_dns_hostnames (Optional) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false. bool false no
vpc_enable_dns_support (Optional) A boolean flag to enable/disable DNS support in the VPC. Defaults to true. bool true no
vpc_enable_flow_log (Optional) Whether to create a flow log for the VPC. Default is false. If enabled, some of the variables starting with flow_log need to be configured. bool false no
vpc_enable_network_address_usage_metrics (Optional) Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false. bool false no
vpc_instance_tenancy (Optional) A tenancy option for instances launched into the VPC. Default is default, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option is dedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch. This has a dedicated per region fee of $2 per hour, plus an hourly per instance usage fee. string "default" no
vpc_ipv4_ipam_pool_id (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. IPAM is a VPC feature that you can use to automate your IP address management workflows including assigning, tracking, troubleshooting, and auditing IP addresses across AWS Regions and accounts. Using IPAM you can monitor IP address usage throughout your AWS Organization. string null no
vpc_ipv4_netmask_length (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id. number null no
vpc_ipv6_cidr_block (Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using ipv6_netmask_length. string null no
vpc_ipv6_cidr_block_network_border_group (Optional) By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones. string null no
vpc_ipv6_ipam_pool_id (Optional) IPAM Pool ID for a IPv6 pool. Conflicts with assign_generated_ipv6_cidr_block. string null no
vpc_ipv6_netmask_length (Optional) Netmask length to request from IPAM Pool. Conflicts with ipv6_cidr_block. This can be omitted if IPAM pool as a allocation_default_netmask_length set. Valid values are from 44 to 60 in increments of 4. number null no

Outputs

Name Description
internet_gateway_id Values from the generated Internet Gateway in case it was created.
private_subnets Values from the generated private subnets
public_subnets Values from the generated public subnets
vpc Values from the generated VPC.

About

Networking Terraform Module for AWS

registry.terraform.io/modules/cn-terraform/networking/aws

Topics

aws cloud networking network terraform amazon-web-services subnets terraform-module

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

13 stars

Watchers

1 watching

Forks

21 forks
Report repository

Releases 21

4.0.0 Latest
Feb 24, 2026
+ 20 releases

Sponsor this project

Packages

 
 
 

Contributors

Languages