xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity
Files
main
terraform.examples/modules/networking/vpc-subnet-manual
T
History
xpk 09ce4c881a initial commit
2026-02-13 15:44:24 +08:00
..
main.tf
initial commit
2026-02-13 15:44:24 +08:00
outputs.tf
initial commit
2026-02-13 15:44:24 +08:00
provider.tf
initial commit
2026-02-13 15:44:24 +08:00
README.md
initial commit
2026-02-13 15:44:24 +08:00
variables.tf
initial commit
2026-02-13 15:44:24 +08:00
vpc-flowlog.tf
initial commit
2026-02-13 15:44:24 +08:00

README.md

Overview

This module performs the following tasks:

  • Create VPC, vpcflow log
  • Create subnets in every AZ
  • Create IGW, NGW
  • Create s3 and ddb endpoints which are free
  • Additional CIDR, if any, will introduce a 10s wait before subnet creation

Subnet addressing

Subnet cidrs needs to be specified manually

Inputs:

Name Description Type Default Required
private-subnet-cidrs private subnets list [] yes
public-subnet-cidrs public subnets list [] yes
create-nat-gateway whether to deploy NAT gateway for private subnets bool true yes
vpc-cidr VPC cidr string none yes
enable-flowlog whether to enable vpc flowlog bool true yes
vpcflowlog-retain-days number of days to retain vpc cloudwatch log number 90 yes
vpcflowlog-cwl-loggroup-key-arn kms key alias arn for log group encryption string none yes
secondary_cidr_blocks Additional CIDR blocks to be associated with VPC list(string) none no
resource-prefix Prefix of resource name string "" yes

Outputs:

Name Description Type
vpc_id vpc id string
public_subnets list of cidr blocks list
private_subnets list of cidr blocks list
secondary_cidr_blocks list of secondary cidrs list

Using s3 bucket for flowlog

Make sure the bucket policy allows access from delivery.logs. If the bucket is encrypted with CMK, make sure the key policy allows the aws service delivery.logs.amazonaws.com.

Sample s3 bucket policy

{
      "Id" : "policy01",
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Sid" : "AWSLogDeliveryWrite",
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "delivery.logs.amazonaws.com"
          },
          "Action" : "s3:PutObject",
          "Resource" : "arn:aws:s3:::BUCKET_NAME/*"
        },
        {
          "Sid" : "AWSLogDeliveryCheck",
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "delivery.logs.amazonaws.com"
          },
          "Action" : "s3:GetBucketAcl",
          "Resource" : "arn:aws:s3:::BUCKET_NAME"
        }
      ]
    }

Sample CMK policy

        {
            "Sid": "Allow AWS Service to use the key",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "delivery.logs.amazonaws.com",
                    "cloudtrail.amazonaws.com",
                    "s3.amazonaws.com"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }

Example:

module "vpc-subnets" {
  source = "../../modules/networking/vpc-subnet-manual"

  resource-prefix                 = local.resource-prefix
  private-subnet-cidrs            = ["172.17.0.0/24", "172.17.1.0/24"]
  public-subnet-cidrs             = ["172.17.10.0/24", "172.17.11.0/24"]
  vpc-cidr                        = "172.17.0.0/16"
  enable-flow-log                 = false
  vpcflowlog-cwl-loggroup-key-arn = ""
  create-nat-gateway              = true
  create-free-vpc-endpoints       = true
}
View Git Blame Copy Permalink