# Overview This module performs the following tasks: - Create VPC, vpcflow log - Create subnets in every AZ - Create IGW, NGW - Create s3 and ddb endpoints which are free - Additional CIDR, if any, will introduce a 10s wait before subnet creation ## Subnet addressing Subnet cidrs needs to be specified manually ## Inputs: | Name | Description | Type | Default | Required | |---------------------------------|---------------------------------------------------|---------------|---------|----------| | private-subnet-cidrs | private subnets | list | [] | yes | | public-subnet-cidrs | public subnets | list | [] | yes | | create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes | | vpc-cidr | VPC cidr | string | none | yes | | enable-flowlog | whether to enable vpc flowlog | bool | true | yes | | vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes | | vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes | | secondary_cidr_blocks | Additional CIDR blocks to be associated with VPC | list(string) | none | no | | resource-prefix | Prefix of resource name | string | "" | yes | ## Outputs: | Name | Description | Type | |-----------------------|-------------------------|---------| | vpc_id | vpc id | string | | public_subnets | list of cidr blocks | list | | private_subnets | list of cidr blocks | list | | secondary_cidr_blocks | list of secondary cidrs | list | ## Using s3 bucket for flowlog Make sure the bucket policy allows access from delivery.logs. If the bucket is encrypted with CMK, make sure the key policy allows the aws service delivery.logs.amazonaws.com. ### Sample s3 bucket policy ```json { "Id" : "policy01", "Version" : "2012-10-17", "Statement" : [ { "Sid" : "AWSLogDeliveryWrite", "Effect" : "Allow", "Principal" : { "Service" : "delivery.logs.amazonaws.com" }, "Action" : "s3:PutObject", "Resource" : "arn:aws:s3:::BUCKET_NAME/*" }, { "Sid" : "AWSLogDeliveryCheck", "Effect" : "Allow", "Principal" : { "Service" : "delivery.logs.amazonaws.com" }, "Action" : "s3:GetBucketAcl", "Resource" : "arn:aws:s3:::BUCKET_NAME" } ] } ``` ### Sample CMK policy ```json { "Sid": "Allow AWS Service to use the key", "Effect": "Allow", "Principal": { "Service": [ "delivery.logs.amazonaws.com", "cloudtrail.amazonaws.com", "s3.amazonaws.com" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ``` ## Example: ```hcl module "vpc-subnets" { source = "../../modules/networking/vpc-subnet-manual" resource-prefix = local.resource-prefix private-subnet-cidrs = ["172.17.0.0/24", "172.17.1.0/24"] public-subnet-cidrs = ["172.17.10.0/24", "172.17.11.0/24"] vpc-cidr = "172.17.0.0/16" enable-flow-log = false vpcflowlog-cwl-loggroup-key-arn = "" create-nat-gateway = true create-free-vpc-endpoints = true } ```