feat: adding support for regional nat gateway

balvinder · balvinder · commit ba1e12e14b8e · 2025-12-04T23:17:14.000+05:30
diff --git a/README.md b/README.md
@@ -241,13 +241,13 @@ Full contributing [guidelines are covered here](.github/contributing.md).
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.24.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.24.0 |
 
 ## Modules
 
@@ -272,6 +272,7 @@ No modules.
 | [aws_iam_role.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource |
+| [aws_nat_gateway.regional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
 | [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
 | [aws_network_acl.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
 | [aws_network_acl.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
@@ -487,6 +488,7 @@ No modules.
 | <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no |
 | <a name="input_nat_eip_tags"></a> [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no |
+| <a name="input_nat_gateway_connectivity_type"></a> [nat\_gateway\_connectivity\_type](#input\_nat\_gateway\_connectivity\_type) | Connectivity type for the NAT Gateway. Valid values are:<br/>- 'zonal' (default): Traditional AZ-specific NAT gateways that require public subnets<br/>- 'regional': A single NAT Gateway that automatically scales across all AZs (does not require public subnets)<br/><br/>Regional NAT Gateway support requires Terraform AWS provider >= 6.24.0.<br/>When using 'regional' mode, only one NAT Gateway is created for the entire VPC. | `string` | `"zonal"` | no |
 | <a name="input_nat_gateway_destination_cidr_block"></a> [nat\_gateway\_destination\_cidr\_block](#input\_nat\_gateway\_destination\_cidr\_block) | Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route | `string` | `"0.0.0.0/0"` | no |
 | <a name="input_nat_gateway_tags"></a> [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no |
 | <a name="input_one_nat_gateway_per_az"></a> [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs` | `bool` | `false` | no |
diff --git a/examples/regional-nat/README.md b/examples/regional-nat/README.md
@@ -84,4 +84,3 @@ After applying this configuration, you can see:
 
 - [AWS Regional NAT Gateway Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html)
 - [AWS Blog: Introducing Amazon VPC Regional NAT Gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-amazon-vpc-regional-nat-gateway/)
-
diff --git a/examples/regional-nat/main.tf b/examples/regional-nat/main.tf
@@ -9,24 +9,24 @@ provider "aws" {
 data "aws_availability_zones" "available" {}
 
 locals {
-  name   = "ex-${basename(path.cwd)}"
+  name = "ex-${basename(path.cwd)}"
 
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
   tags = {
-    Example    = local.name
+    Example = local.name
   }
 }
 
 module "vpc" {
   source = "../../"
-  name = local.name
-  cidr = local.vpc_cidr
+  name   = local.name
+  cidr   = local.vpc_cidr
 
-  azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
+  azs              = local.azs
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)]
   database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 8)]
 
   enable_dns_hostnames = true
@@ -36,5 +36,5 @@ module "vpc" {
   # Requires Terraform AWS provider >= 6.24.0
   enable_nat_gateway            = true
   nat_gateway_connectivity_type = "regional"
-  tags = local.tags
+  tags                          = local.tags
 }
diff --git a/examples/regional-nat/outputs.tf b/examples/regional-nat/outputs.tf
@@ -73,4 +73,3 @@ output "igw_id" {
   description = "The ID of the Internet Gateway"
   value       = module.vpc.igw_id
 }
-
diff --git a/main.tf b/main.tf
@@ -337,7 +337,7 @@ resource "aws_route_table" "private" {
       "Name" = local.nat_gateway_is_regional ? format(
         "${var.name}-${var.private_subnet_suffix}-%s",
         element(var.azs, count.index),
-      ) : var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
+        ) : var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
         "${var.name}-${var.private_subnet_suffix}-%s",
         element(var.azs, count.index),
       )
@@ -1208,8 +1208,8 @@ resource "aws_route" "private_ipv6_egress" {
 
 locals {
   nat_gateway_is_regional = var.nat_gateway_connectivity_type == "regional"
-  nat_gateway_count = local.nat_gateway_is_regional ? 1 : var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
-  nat_gateway_ips   = var.reuse_nat_ips ? var.external_nat_ip_ids : aws_eip.nat[*].id
+  nat_gateway_count       = local.nat_gateway_is_regional ? 1 : var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
+  nat_gateway_ips         = var.reuse_nat_ips ? var.external_nat_ip_ids : aws_eip.nat[*].id
 }
 
 resource "aws_eip" "nat" {
diff --git a/variables.tf b/variables.tf
@@ -1239,7 +1239,7 @@ variable "nat_gateway_connectivity_type" {
     Connectivity type for the NAT Gateway. Valid values are:
     - 'zonal' (default): Traditional AZ-specific NAT gateways that require public subnets
     - 'regional': A single NAT Gateway that automatically scales across all AZs (does not require public subnets)
-    
+
     Regional NAT Gateway support requires Terraform AWS provider >= 6.24.0.
     When using 'regional' mode, only one NAT Gateway is created for the entire VPC.
   EOT
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -232,6 +232,7 @@ module "wrapper" {
   map_public_ip_on_launch                                     = try(each.value.map_public_ip_on_launch, var.defaults.map_public_ip_on_launch, false)
   name                                                        = try(each.value.name, var.defaults.name, "")
   nat_eip_tags                                                = try(each.value.nat_eip_tags, var.defaults.nat_eip_tags, {})
+  nat_gateway_connectivity_type                               = try(each.value.nat_gateway_connectivity_type, var.defaults.nat_gateway_connectivity_type, "zonal")
   nat_gateway_destination_cidr_block                          = try(each.value.nat_gateway_destination_cidr_block, var.defaults.nat_gateway_destination_cidr_block, "0.0.0.0/0")
   nat_gateway_tags                                            = try(each.value.nat_gateway_tags, var.defaults.nat_gateway_tags, {})
   one_nat_gateway_per_az                                      = try(each.value.one_nat_gateway_per_az, var.defaults.one_nat_gateway_per_az, false)
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.0"
+      version = ">= 6.24.0"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -84,4 +84,3 @@ After applying this configuration, you can see:`
`84`	`84`
`85`	`85`	`- [AWS Regional NAT Gateway Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateways-regional.html)`
`86`	`86`	`- [AWS Blog: Introducing Amazon VPC Regional NAT Gateway](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-amazon-vpc-regional-nat-gateway/)`
`87`		`-`
Original file line number	Diff line number	Diff line change
`@@ -73,4 +73,3 @@ output "igw_id" {`
`73`	`73`	`description = "The ID of the Internet Gateway"`
`74`	`74`	`value = module.vpc.igw_id`
`75`	`75`	`}`
`76`		`-`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 6.0"`
	`7`	`+ version = ">= 6.24.0"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`