Need help with terraform-aws-vpc?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

terraform-aws-modules
1.8K Stars 2.2K Forks Other 340 Commits 54 Opened issues

Description

Terraform module which creates VPC resources on AWS

Services available

!
?

Need anything else?

Contributors list

AWS VPC Terraform module

Help Contribute to Open Source GitHub tag (latest by date)

Terraform module which creates VPC resources on AWS.

These types of resources are supported:

  • VPC
  • Subnet
  • Route
  • Route table
  • Internet Gateway
  • Network ACL
  • NAT Gateway
  • VPN Gateway
  • VPC Flow Log
  • VPC Endpoint:

    • Gateway: S3, DynamoDB
    • Interface: S3, EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codeartifact(API, Repositories), CodeBuild, CodeCommit, Git-Codecommit, Textract, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream API, AppStream Streaming, Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR), DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans, Application Auto Scaling, Workspaces, ACM PCA, RDS, CodeDeploy, CodeDeploy Commands Secure, DMS
  • RDS DB Subnet Group

  • ElastiCache Subnet Group

  • Redshift Subnet Group

  • DHCP Options Set

  • Default VPC

  • Default Network ACL

Sponsored by Cloudcraft - the best way to draw AWS diagrams

Cloudcraft - the best way to draw AWS diagrams

Terraform versions

Terraform 0.12 and newer. Pin module version to

~> v2.0
. Submit pull-requests to
master
branch.

Terraform 0.11. Pin module version to

~> v1.0
. Submit pull-requests to
terraform011
branch.

Usage

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

name = "my-vpc" cidr = "10.0.0.0/16"

azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

enable_nat_gateway = true enable_vpn_gateway = true

tags = { Terraform = "true" Environment = "dev" } }

External NAT Gateway IPs

By default this module will provision new Elastic IPs for the VPC's NAT Gateways. This means that when creating a new VPC, new IPs are allocated, and when that VPC is destroyed those IPs are released. Sometimes it is handy to keep the same IPs even after the VPC is destroyed and re-created. To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.

To achieve this, allocate the IPs outside the VPC module declaration. ```hcl resource "aws_eip" "nat" { count = 3

vpc = true } ```

Then, pass the allocated IPs as a parameter to this module. ```hcl module "vpc" { source = "terraform-aws-modules/vpc/aws"

# The rest of arguments are omitted for brevity

enablenatgateway = true singlenatgateway = false reusenatips = true # <= Skip creation of EIPs for the NAT Gateways externalnatipids = "${awseip.nat.*.id}" # <= IPs specified here as input to the module } ```

Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to

single_nat_gateway = false
and having 3 subnets). If, on the other hand,
single_nat_gateway = true
, then
aws_eip.nat
would only need to allocate 1 IP. Passing the IPs into the module is done by setting two variables
reuse_nat_ips = true
and
external_nat_ip_ids = "${aws_eip.nat.*.id}"
.

NAT Gateway Scenarios

This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.

  • One NAT Gateway per subnet (default behavior)
    • enable_nat_gateway = true
    • single_nat_gateway = false
    • one_nat_gateway_per_az = false
  • Single NAT Gateway
    • enable_nat_gateway = true
    • single_nat_gateway = true
    • one_nat_gateway_per_az = false
  • One NAT Gateway per availability zone
    • enable_nat_gateway = true
    • single_nat_gateway = false
    • one_nat_gateway_per_az = true

If both

single_nat_gateway
and
one_nat_gateway_per_az
are set to
true
, then
single_nat_gateway
takes precedence.

One NAT Gateway per subnet (default)

By default, the module will determine the number of NAT Gateways to create based on the the

max()
of the private subnet lists (
database_subnets
,
elasticache_subnets
,
private_subnets
, and
redshift_subnets
). The module does not take into account the number of
intra_subnets
, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:
database_subnets    = ["10.0.21.0/24", "10.0.22.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24"]
private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
redshift_subnets    = ["10.0.41.0/24", "10.0.42.0/24"]
intra_subnets       = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]

Then

5
NAT Gateways will be created since
5
private subnet CIDR blocks were specified.

Single NAT Gateway

If

single_nat_gateway = true
, then all private subnets will route their Internet traffic through this single NAT gateway. The NAT gateway will be placed in the first public subnet in your
public_subnets
block.

One NAT Gateway per availability zone

If

one_nat_gateway_per_az = true
and
single_nat_gateway = false
, then the module will place one NAT gateway in each availability zone you specify in
var.azs
. There are some requirements around using this feature flag:
  • The variable
    var.azs
    must be specified.
  • The number of public subnet CIDR blocks specified in
    public_subnets
    must be greater than or equal to the number of availability zones specified in
    var.azs
    . This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.

"private" versus "intra" subnets

By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.

If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets),

intra_subnets
should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.

Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received (read more), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.

You can add additional tags with

intra_subnet_tags
as with other subnet types.

VPC Flow Log

VPC Flow Log allows to capture IP traffic for a specific network interface (ENI), subnet, or entire VPC. This module supports enabling or disabling VPC Flow Logs for entire VPC. If you need to have VPC Flow Logs for subnet or ENI, you have to manage it outside of this module with awsflowlog resource.

Permissions Boundary

If your organization requires a permissions boundary to be attached to the VPC Flow Log role, make sure that you specify an ARN of the permissions boundary policy as

vpc_flow_log_permissions_boundary
argument. Read more about required IAM policy for publishing flow logs.

Conditional creation

Prior to Terraform 0.13, you were unable to specify

count
in a module block. If you wish to toggle the creation of the module's resources in an older (pre 0.13) version of Terraform, you can use the
create_vpc
argument.
# This VPC will not be created
module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

create_vpc = false

... omitted

}

Public access to RDS instances

Sometimes it is handy to have public access to RDS instances (it is not recommended for production) by specifying these arguments:

  create_database_subnet_group           = true
  create_database_subnet_route_table     = true
  create_database_internet_gateway_route = true

enable_dns_hostnames = true enable_dns_support = true

Network Access Control Lists (ACL or NACL)

This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (

manage_default_network_acl = true
).

Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set

public_dedicated_network_acl = true
to use dedicated network ACL for the public subnets; set values of
public_inbound_acl_rules
and
public_outbound_acl_rules
to specify all the NACL rules you need to have on public subnets (see
variables.tf
for default values and structures).

By default, all subnets are associated with the default network ACL.

Public access to Redshift cluster

Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments:

  enable_public_redshift = true  # <= By default Redshift subnets will be associated with the private route table

Transit Gateway (TGW) integration

It is possible to integrate this VPC module with terraform-aws-transit-gateway module which handles the creation of TGW resources and VPC attachments. See complete example there.

Examples

Requirements

| Name | Version | |------|---------| | terraform | >= 0.12.21 | | aws | >= 2.70 |

Providers

| Name | Version | |------|---------| | aws | >= 2.70 |

Modules

No modules.

Resources

| Name | Type | |------|------| | awscloudwatchloggroup.flowlog | resource | | awscustomergateway.this | resource | | awsdbsubnet_group.database | resource | | awsdefaultnetwork_acl.this | resource | | awsdefaultroute_table.default | resource | | awsdefaultsecurity_group.this | resource | | awsdefaultvpc.this | resource | | awsegressonlyinternetgateway.this | resource | | aws_eip.nat | resource | | awselasticachesubnet_group.elasticache | resource | | awsflowlog.this | resource | | awsiampolicy.vpcflowlog_cloudwatch | resource | | awsiamrole.vpcflowlog_cloudwatch | resource | | awsiamrolepolicyattachment.vpcflowlog_cloudwatch | resource | | awsinternetgateway.this | resource | | awsnatgateway.this | resource | | awsnetworkacl.database | resource | | awsnetworkacl.elasticache | resource | | awsnetworkacl.intra | resource | | awsnetworkacl.outpost | resource | | awsnetworkacl.private | resource | | awsnetworkacl.public | resource | | awsnetworkacl.redshift | resource | | awsnetworkaclrule.databaseinbound | resource | | awsnetworkaclrule.databaseoutbound | resource | | awsnetworkaclrule.elasticacheinbound | resource | | awsnetworkaclrule.elasticacheoutbound | resource | | awsnetworkaclrule.intrainbound | resource | | awsnetworkaclrule.intraoutbound | resource | | awsnetworkaclrule.outpostinbound | resource | | awsnetworkaclrule.outpostoutbound | resource | | awsnetworkaclrule.privateinbound | resource | | awsnetworkaclrule.privateoutbound | resource | | awsnetworkaclrule.publicinbound | resource | | awsnetworkaclrule.publicoutbound | resource | | awsnetworkaclrule.redshiftinbound | resource | | awsnetworkaclrule.redshiftoutbound | resource | | awsredshiftsubnet_group.redshift | resource | | awsroute.databaseinternet_gateway | resource | | awsroute.databaseipv6_egress | resource | | awsroute.databasenat_gateway | resource | | awsroute.privateipv6_egress | resource | | awsroute.privatenat_gateway | resource | | awsroute.publicinternet_gateway | resource | | awsroute.publicinternetgatewayipv6 | resource | | awsroutetable.database | resource | | awsroutetable.elasticache | resource | | awsroutetable.intra | resource | | awsroutetable.private | resource | | awsroutetable.public | resource | | awsroutetable.redshift | resource | | awsroutetable_association.database | resource | | awsroutetable_association.elasticache | resource | | awsroutetable_association.intra | resource | | awsroutetable_association.outpost | resource | | awsroutetable_association.private | resource | | awsroutetable_association.public | resource | | awsroutetable_association.redshift | resource | | awsroutetableassociation.redshiftpublic | resource | | aws_subnet.database | resource | | aws_subnet.elasticache | resource | | aws_subnet.intra | resource | | aws_subnet.outpost | resource | | aws_subnet.private | resource | | aws_subnet.public | resource | | aws_subnet.redshift | resource | | aws_vpc.this | resource | | awsvpcdhcp_options.this | resource | | awsvpcdhcpoptionsassociation.this | resource | | awsvpcendpoint.access_analyzer | resource | | awsvpcendpoint.acm_pca | resource | | awsvpcendpoint.apigw | resource | | awsvpcendpoint.appmeshenvoymanagement | resource | | awsvpcendpoint.appstream_api | resource | | awsvpcendpoint.appstream_streaming | resource | | awsvpcendpoint.athena | resource | | awsvpcendpoint.autoscalingplans | resource | | awsvpcendpoint.cloud_directory | resource | | awsvpcendpoint.cloudformation | resource | | awsvpcendpoint.cloudtrail | resource | | awsvpcendpoint.codeartifact_api | resource | | awsvpcendpoint.codeartifact_repositories | resource | | awsvpcendpoint.codebuild | resource | | awsvpcendpoint.codecommit | resource | | awsvpcendpoint.codedeploy | resource | | awsvpcendpoint.codedeploycommandssecure | resource | | awsvpcendpoint.codepipeline | resource | | awsvpcendpoint.config | resource | | awsvpcendpoint.datasync | resource | | awsvpcendpoint.dms | resource | | awsvpcendpoint.dynamodb | resource | | awsvpcendpoint.ebs | resource | | awsvpcendpoint.ec2 | resource | | awsvpcendpoint.ec2_autoscaling | resource | | awsvpcendpoint.ec2messages | resource | | awsvpcendpoint.ecr_api | resource | | awsvpcendpoint.ecr_dkr | resource | | awsvpcendpoint.ecs | resource | | awsvpcendpoint.ecs_agent | resource | | awsvpcendpoint.ecs_telemetry | resource | | awsvpcendpoint.efs | resource | | awsvpcendpoint.elasticinferenceruntime | resource | | awsvpcendpoint.elasticbeanstalk | resource | | awsvpcendpoint.elasticbeanstalk_health | resource | | awsvpcendpoint.elasticloadbalancing | resource | | awsvpcendpoint.emr | resource | | awsvpcendpoint.events | resource | | awsvpcendpoint.git_codecommit | resource | | awsvpcendpoint.glue | resource | | awsvpcendpoint.kinesis_firehose | resource | | awsvpcendpoint.kinesis_streams | resource | | awsvpcendpoint.kms | resource | | awsvpcendpoint.lambda | resource | | awsvpcendpoint.logs | resource | | awsvpcendpoint.monitoring | resource | | awsvpcendpoint.qldb_session | resource | | awsvpcendpoint.rds | resource | | awsvpcendpoint.rekognition | resource | | awsvpcendpoint.s3 | resource | | awsvpcendpoint.sagemaker_api | resource | | awsvpcendpoint.sagemaker_notebook | resource | | awsvpcendpoint.sagemaker_runtime | resource | | awsvpcendpoint.secretsmanager | resource | | awsvpcendpoint.servicecatalog | resource | | awsvpcendpoint.ses | resource | | awsvpcendpoint.sms | resource | | awsvpcendpoint.sns | resource | | awsvpcendpoint.sqs | resource | | awsvpcendpoint.ssm | resource | | awsvpcendpoint.ssmmessages | resource | | awsvpcendpoint.states | resource | | awsvpcendpoint.storagegateway | resource | | awsvpcendpoint.sts | resource | | awsvpcendpoint.textract | resource | | awsvpcendpoint.transfer | resource | | awsvpcendpoint.transferserver | resource | | awsvpcendpoint.workspaces | resource | | awsvpcendpointroutetableassociation.intradynamodb | resource | | awsvpcendpointroutetableassociation.intras3 | resource | | awsvpcendpointroutetableassociation.privatedynamodb | resource | | awsvpcendpointroutetableassociation.privates3 | resource | | awsvpcendpointroutetableassociation.publicdynamodb | resource | | awsvpcendpointroutetableassociation.publics3 | resource | | awsvpcipv4cidrblock_association.this | resource | | awsvpngateway.this | resource | | awsvpngateway_attachment.this | resource | | awsvpngatewayroutepropagation.intra | resource | | awsvpngatewayroutepropagation.private | resource | | awsvpngatewayroutepropagation.public | resource | | awsiampolicydocument.flowlogcloudwatchassume_role | data source | | awsiampolicydocument.vpcflowlogcloudwatch | data source | | awsvpcendpointservice.accessanalyzer | data source | | awsvpcendpointservice.acmpca | data source | | awsvpcendpoint_service.apigw | data source | | awsvpcendpointservice.appmeshenvoy_management | data source | | awsvpcendpointservice.appstreamapi | data source | | awsvpcendpointservice.appstreamstreaming | data source | | awsvpcendpoint_service.athena | data source | | awsvpcendpointservice.autoscaling_plans | data source | | awsvpcendpointservice.clouddirectory | data source | | awsvpcendpoint_service.cloudformation | data source | | awsvpcendpoint_service.cloudtrail | data source | | awsvpcendpointservice.codeartifactapi | data source | | awsvpcendpointservice.codeartifactrepositories | data source | | awsvpcendpoint_service.codebuild | data source | | awsvpcendpoint_service.codecommit | data source | | awsvpcendpoint_service.codedeploy | data source | | awsvpcendpointservice.codedeploycommands_secure | data source | | awsvpcendpoint_service.codepipeline | data source | | awsvpcendpoint_service.config | data source | | awsvpcendpoint_service.datasync | data source | | awsvpcendpoint_service.dms | data source | | awsvpcendpoint_service.dynamodb | data source | | awsvpcendpoint_service.ebs | data source | | awsvpcendpoint_service.ec2 | data source | | awsvpcendpointservice.ec2autoscaling | data source | | awsvpcendpoint_service.ec2messages | data source | | awsvpcendpointservice.ecrapi | data source | | awsvpcendpointservice.ecrdkr | data source | | awsvpcendpoint_service.ecs | data source | | awsvpcendpointservice.ecsagent | data source | | awsvpcendpointservice.ecstelemetry | data source | | awsvpcendpoint_service.efs | data source | | awsvpcendpointservice.elasticinference_runtime | data source | | awsvpcendpoint_service.elasticbeanstalk | data source | | awsvpcendpointservice.elasticbeanstalkhealth | data source | | awsvpcendpoint_service.elasticloadbalancing | data source | | awsvpcendpoint_service.emr | data source | | awsvpcendpoint_service.events | data source | | awsvpcendpointservice.gitcodecommit | data source | | awsvpcendpoint_service.glue | data source | | awsvpcendpointservice.kinesisfirehose | data source | | awsvpcendpointservice.kinesisstreams | data source | | awsvpcendpoint_service.kms | data source | | awsvpcendpoint_service.lambda | data source | | awsvpcendpoint_service.logs | data source | | awsvpcendpoint_service.monitoring | data source | | awsvpcendpointservice.qldbsession | data source | | awsvpcendpoint_service.rds | data source | | awsvpcendpoint_service.rekognition | data source | | awsvpcendpoint_service.s3 | data source | | awsvpcendpointservice.sagemakerapi | data source | | awsvpcendpointservice.sagemakernotebook | data source | | awsvpcendpointservice.sagemakerruntime | data source | | awsvpcendpoint_service.secretsmanager | data source | | awsvpcendpoint_service.servicecatalog | data source | | awsvpcendpoint_service.ses | data source | | awsvpcendpoint_service.sms | data source | | awsvpcendpoint_service.sns | data source | | awsvpcendpoint_service.sqs | data source | | awsvpcendpoint_service.ssm | data source | | awsvpcendpoint_service.ssmmessages | data source | | awsvpcendpoint_service.states | data source | | awsvpcendpoint_service.storagegateway | data source | | awsvpcendpoint_service.sts | data source | | awsvpcendpoint_service.textract | data source | | awsvpcendpoint_service.transfer | data source | | awsvpcendpoint_service.transferserver | data source | | awsvpcendpoint_service.workspaces | data source |

Inputs

| Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | access_analyzer_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |

string
|
null
| no | | access_analyzer_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint |
bool
|
false
| no | | access_analyzer_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint |
list(string)
|
[]
| no | | access_analyzer_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | acm_pca_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | acm_pca_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint |
bool
|
false
| no | | acm_pca_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint |
list(string)
|
[]
| no | | acm_pca_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. |
string
|
"64512"
| no | | apigw_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | apigw_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint |
bool
|
false
| no | | apigw_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint |
list(string)
|
[]
| no | | apigw_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | appmesh_envoy_management_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint |
bool
|
false
| no | | appmesh_envoy_management_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for AppMesh endpoint |
list(string)
|
[]
| no | | appmesh_envoy_management_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | appstream_api_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppStream API endpoint |
bool
|
false
| no | | appstream_api_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for AppStream API endpoint |
list(string)
|
[]
| no | | appstream_api_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for AppStream API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | appstream_streaming_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppStream Streaming endpoint |
bool
|
false
| no | | appstream_streaming_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for AppStream Streaming endpoint |
list(string)
|
[]
| no | | appstream_streaming_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for AppStream Streaming endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | assign_ipv6_address_on_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
false
| no | | athena_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | athena_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint |
bool
|
false
| no | | athena_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Athena endpoint |
list(string)
|
[]
| no | | athena_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | auto_scaling_plans_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | auto_scaling_plans_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint |
bool
|
false
| no | | auto_scaling_plans_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint |
list(string)
|
[]
| no | | auto_scaling_plans_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | azs | A list of availability zones names or ids in the region |
list(string)
|
[]
| no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden |
string
|
"0.0.0.0/0"
| no | | cloud_directory_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | cloud_directory_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint |
bool
|
false
| no | | cloud_directory_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint |
list(string)
|
[]
| no | | cloud_directory_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | cloudformation_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint |
bool
|
false
| no | | cloudformation_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Cloudformation endpoint |
list(string)
|
[]
| no | | cloudformation_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | cloudtrail_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint |
bool
|
false
| no | | cloudtrail_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint |
list(string)
|
[]
| no | | cloudtrail_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codeartifact_api_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codeartifact API endpoint |
bool
|
false
| no | | codeartifact_api_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codeartifact API endpoint |
list(string)
|
[]
| no | | codeartifact_api_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codeartifact API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codeartifact_repositories_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codeartifact repositories endpoint |
bool
|
false
| no | | codeartifact_repositories_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codeartifact repositories endpoint |
list(string)
|
[]
| no | | codeartifact_repositories_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codebuild_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | codebuild_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint |
bool
|
false
| no | | codebuild_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint |
list(string)
|
[]
| no | | codebuild_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codecommit_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | codecommit_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint |
bool
|
false
| no | | codecommit_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint |
list(string)
|
[]
| no | | codecommit_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codedeploy_commands_secure_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy Commands Secure endpoint |
bool
|
false
| no | | codedeploy_commands_secure_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CodeDeploy Commands Secure endpoint |
list(string)
|
[]
| no | | codedeploy_commands_secure_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codedeploy_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy endpoint |
bool
|
false
| no | | codedeploy_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CodeDeploy endpoint |
list(string)
|
[]
| no | | codedeploy_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CodeDeploy endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | codepipeline_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint |
bool
|
false
| no | | codepipeline_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CodePipeline endpoint |
list(string)
|
[]
| no | | codepipeline_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | config_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for config endpoint |
bool
|
false
| no | | config_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for config endpoint |
list(string)
|
[]
| no | | config_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | create_database_internet_gateway_route | Controls if an internet gateway route for public database access should be created |
bool
|
false
| no | | create_database_nat_gateway_route | Controls if a nat gateway route should be created to give internet access to the database subnets |
bool
|
false
| no | | create_database_subnet_group | Controls if database subnet group should be created (n.b. database_subnets must also be set) |
bool
|
true
| no | | create_database_subnet_route_table | Controls if separate route table for database should be created |
bool
|
false
| no | | create_egress_only_igw | Controls if an Egress Only Internet Gateway is created and its related routes. |
bool
|
true
| no | | create_elasticache_subnet_group | Controls if elasticache subnet group should be created |
bool
|
true
| no | | create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created |
bool
|
false
| no | | create_flow_log_cloudwatch_iam_role | Whether to create IAM role for VPC Flow Logs |
bool
|
false
| no | | create_flow_log_cloudwatch_log_group | Whether to create CloudWatch log group for VPC Flow Logs |
bool
|
false
| no | | create_igw | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. |
bool
|
true
| no | | create_redshift_subnet_group | Controls if redshift subnet group should be created |
bool
|
true
| no | | create_redshift_subnet_route_table | Controls if separate route table for redshift should be created |
bool
|
false
| no | | create_vpc | Controls if VPC should be created (it affects almost all resources) |
bool
|
true
| no | | customer_gateway_tags | Additional tags for the Customer Gateway |
map(string)
|
{}
| no | | customer_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) |
map(map(any))
|
{}
| no | | database_acl_tags | Additional tags for the database subnets network ACL |
map(string)
|
{}
| no | | database_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets |
bool
|
false
| no | | database_inbound_acl_rules | Database subnets inbound network ACL rules |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputdatabaseoutboundaclrules"> database_outbound_acl_rules | Database subnets outbound network ACL rules |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | database_route_table_tags | Additional tags for the database route tables |
map(string)
|
{}
| no | | database_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | database_subnet_group_tags | Additional tags for the database subnet group |
map(string)
|
{}
| no | | database_subnet_ipv6_prefixes | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | database_subnet_suffix | Suffix to append to database subnets name |
string
|
"db"
| no | | database_subnet_tags | Additional tags for the database subnets |
map(string)
|
{}
| no | | database_subnets | A list of database subnets |
list(string)
|
[]
| no | | datasync_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Data Sync endpoint |
bool
|
false
| no | | datasync_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Data Sync endpoint |
list(string)
|
[]
| no | | datasync_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Data Sync endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | default_network_acl_egress | List of maps of egress rules to set on the Default Network ACL |
list(map(string))
|
[
{
"action": "allow",
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleno": 100,
"to
port": 0
},
{
"action": "allow",
"fromport": 0,
"ipv6
cidrblock": "::/0",
"protocol": "-1",
"rule
no": 101,
"toport": 0
}
]
| no | | <a name="inputdefaultnetworkaclingress"> default_network_acl_ingress | List of maps of ingress rules to set on the Default Network ACL |
list(map(string))
|
[
{
"action": "allow",
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
no": 100,
"toport": 0
},
{
"action": "allow",
"from
port": 0,
"ipv6cidrblock": "::/0",
"protocol": "-1",
"ruleno": 101,
"to
port": 0
}
] | no | | default_network_acl_name | Name to be used on the Default Network ACL |
string
|
""
| no | | default_network_acl_tags | Additional tags for the Default Network ACL |
map(string)
|
{}
| no | | default_route_table_propagating_vgws | List of virtual gateways for propagation |
list(string)
|
[]
| no | | default_route_table_routes | Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/defaultroutetable#route |
list(map(string))
|
[]
| no | | default_route_table_tags | Additional tags for the default route table |
map(string)
|
{}
| no | | default_security_group_egress | List of maps of egress rules to set on the default security group |
list(map(string))
|
null
| no | | default_security_group_ingress | List of maps of ingress rules to set on the default security group |
list(map(string))
|
null
| no | | default_security_group_name | Name to be used on the default security group |
string
|
"default"
| no | | default_security_group_tags | Additional tags for the default security group |
map(string)
|
{}
| no | | default_vpc_enable_classiclink | Should be true to enable ClassicLink in the Default VPC |
bool
|
false
| no | | default_vpc_enable_dns_hostnames | Should be true to enable DNS hostnames in the Default VPC |
bool
|
false
| no | | default_vpc_enable_dns_support | Should be true to enable DNS support in the Default VPC |
bool
|
true
| no | | default_vpc_name | Name to be used on the Default VPC |
string
|
""
| no | | default_vpc_tags | Additional tags for the Default VPC |
map(string)
|
{}
| no | | dhcp_options_domain_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) |
string
|
""
| no | | dhcp_options_domain_name_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) |
list(string)
|
[
"AmazonProvidedDNS"
]
| no | | dhcp_options_netbios_name_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) |
list(string)
|
[]
| no | | dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) |
string
|
""
| no | | dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) |
list(string)
|
[]
| no | | dhcp_options_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) |
map(string)
|
{}
| no | | dms_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint |
bool
|
false
| no | | dms_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for DMS endpoint |
list(string)
|
[]
| no | | dms_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | dynamodb_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | dynamodb_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint |
bool
|
false
| no | | dynamodb_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint |
list(string)
|
[]
| no | | dynamodb_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | dynamodb_endpoint_type | DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available |
string
|
"Gateway"
| no | | ebs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint |
bool
|
false
| no | | ebs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint |
list(string)
|
[]
| no | | ebs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | ec2_autoscaling_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | ec2_autoscaling_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint |
bool
|
false
| no | | ec2_autoscaling_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EC2 Autoscaling endpoint |
list(string)
|
[]
| no | | ec2_autoscaling_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EC2 Autoscaling endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ec2_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | ec2_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint |
bool
|
false
| no | | ec2_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint |
list(string)
|
[]
| no | | ec2_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ec2messages_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint |
bool
|
false
| no | | ec2messages_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint |
list(string)
|
[]
| no | | ec2messages_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ecr_api_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | ecr_api_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint |
bool
|
false
| no | | ecr_api_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint |
list(string)
|
[]
| no | | ecr_api_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ecr_dkr_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | ecr_dkr_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint |
bool
|
false
| no | | ecr_dkr_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint |
list(string)
|
[]
| no | | ecr_dkr_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ecs_agent_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint |
bool
|
false
| no | | ecs_agent_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint |
list(string)
|
[]
| no | | ecs_agent_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ecs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint |
bool
|
false
| no | | ecs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint |
list(string)
|
[]
| no | | ecs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ecs_telemetry_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint |
bool
|
false
| no | | ecs_telemetry_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint |
list(string)
|
[]
| no | | ecs_telemetry_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | efs_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | efs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint |
bool
|
false
| no | | efs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EFS endpoint |
list(string)
|
[]
| no | | efs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | elastic_inference_runtime_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Inference Runtime endpoint |
bool
|
false
| no | | elastic_inference_runtime_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Elastic Inference Runtime endpoint |
list(string)
|
[]
| no | | elastic_inference_runtime_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | elasticache_acl_tags | Additional tags for the elasticache subnets network ACL |
map(string)
|
{}
| no | | elasticache_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets |
bool
|
false
| no | | elasticache_inbound_acl_rules | Elasticache subnets inbound network ACL rules |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputelasticacheoutboundaclrules"> elasticache_outbound_acl_rules | Elasticache subnets outbound network ACL rules |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | elasticache_route_table_tags | Additional tags for the elasticache route tables |
map(string)
|
{}
| no | | elasticache_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | elasticache_subnet_ipv6_prefixes | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | elasticache_subnet_suffix | Suffix to append to elasticache subnets name |
string
|
"elasticache"
| no | | elasticache_subnet_tags | Additional tags for the elasticache subnets |
map(string)
|
{}
| no | | elasticache_subnets | A list of elasticache subnets |
list(string)
|
[]
| no | | elasticbeanstalk_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | elasticbeanstalk_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint |
bool
|
false
| no | | elasticbeanstalk_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint |
list(string)
|
[]
| no | | elasticbeanstalk_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | elasticbeanstalk_health_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint |
bool
|
false
| no | | elasticbeanstalk_health_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint |
list(string)
|
[]
| no | | elasticbeanstalk_health_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | elasticloadbalancing_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | elasticloadbalancing_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint |
bool
|
false
| no | | elasticloadbalancing_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint |
list(string)
|
[]
| no | | elasticloadbalancing_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | emr_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | emr_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint |
bool
|
false
| no | | emr_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for EMR endpoint |
list(string)
|
[]
| no | | emr_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | enable_access_analyzer_endpoint | Should be true if you want to provision an Access Analyzer endpoint to the VPC |
bool
|
false
| no | | enable_acm_pca_endpoint | Should be true if you want to provision an ACM PCA endpoint to the VPC |
bool
|
false
| no | | enable_apigw_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC |
bool
|
false
| no | | enable_appmesh_envoy_management_endpoint | Should be true if you want to provision a AppMesh endpoint to the VPC |
bool
|
false
| no | | enable_appstream_api_endpoint | Should be true if you want to provision a AppStream API endpoint to the VPC |
bool
|
false
| no | | enable_appstream_streaming_endpoint | Should be true if you want to provision a AppStream Streaming endpoint to the VPC |
bool
|
false
| no | | enable_athena_endpoint | Should be true if you want to provision a Athena endpoint to the VPC |
bool
|
false
| no | | enable_auto_scaling_plans_endpoint | Should be true if you want to provision an Auto Scaling Plans endpoint to the VPC |
bool
|
false
| no | | enable_classiclink | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. |
bool
|
null
| no | | enable_classiclink_dns_support | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. |
bool
|
null
| no | | enable_cloud_directory_endpoint | Should be true if you want to provision an Cloud Directory endpoint to the VPC |
bool
|
false
| no | | enable_cloudformation_endpoint | Should be true if you want to provision a Cloudformation endpoint to the VPC |
bool
|
false
| no | | enable_cloudtrail_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC |
bool
|
false
| no | | enable_codeartifact_api_endpoint | Should be true if you want to provision an Codeartifact API endpoint to the VPC |
bool
|
false
| no | | enable_codeartifact_repositories_endpoint | Should be true if you want to provision an Codeartifact repositories endpoint to the VPC |
bool
|
false
| no | | enable_codebuild_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC |
bool
|
false
| no | | enable_codecommit_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC |
bool
|
false
| no | | enable_codedeploy_commands_secure_endpoint | Should be true if you want to provision an CodeDeploy Commands Secure endpoint to the VPC |
bool
|
false
| no | | enable_codedeploy_endpoint | Should be true if you want to provision an CodeDeploy endpoint to the VPC |
bool
|
false
| no | | enable_codepipeline_endpoint | Should be true if you want to provision a CodePipeline endpoint to the VPC |
bool
|
false
| no | | enable_config_endpoint | Should be true if you want to provision an config endpoint to the VPC |
bool
|
false
| no | | enable_datasync_endpoint | Should be true if you want to provision an Data Sync endpoint to the VPC |
bool
|
false
| no | | enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type |
bool
|
false
| no | | enable_dms_endpoint | Should be true if you want to provision a DMS endpoint to the VPC |
bool
|
false
| no | | enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC |
bool
|
false
| no | | enable_dns_support | Should be true to enable DNS support in the VPC |
bool
|
true
| no | | enable_dynamodb_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC |
bool
|
false
| no | | enable_ebs_endpoint | Should be true if you want to provision an EBS endpoint to the VPC |
bool
|
false
| no | | enable_ec2_autoscaling_endpoint | Should be true if you want to provision an EC2 Autoscaling endpoint to the VPC |
bool
|
false
| no | | enable_ec2_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC |
bool
|
false
| no | | enable_ec2messages_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC |
bool
|
false
| no | | enable_ecr_api_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC |
bool
|
false
| no | | enable_ecr_dkr_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC |
bool
|
false
| no | | enable_ecs_agent_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC |
bool
|
false
| no | | enable_ecs_endpoint | Should be true if you want to provision a ECS endpoint to the VPC |
bool
|
false
| no | | enable_ecs_telemetry_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC |
bool
|
false
| no | | enable_efs_endpoint | Should be true if you want to provision an EFS endpoint to the VPC |
bool
|
false
| no | | enable_elastic_inference_runtime_endpoint | Should be true if you want to provision an Elastic Inference Runtime endpoint to the VPC |
bool
|
false
| no | | enable_elasticbeanstalk_endpoint | Should be true if you want to provision a Elastic Beanstalk endpoint to the VPC |
bool
|
false
| no | | enable_elasticbeanstalk_health_endpoint | Should be true if you want to provision a Elastic Beanstalk Health endpoint to the VPC |
bool
|
false
| no | | enable_elasticloadbalancing_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC |
bool
|
false
| no | | enable_emr_endpoint | Should be true if you want to provision an EMR endpoint to the VPC |
bool
|
false
| no | | enable_events_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC |
bool
|
false
| no | | enable_flow_log | Whether or not to enable VPC Flow Logs |
bool
|
false
| no | | enable_git_codecommit_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC |
bool
|
false
| no | | enable_glue_endpoint | Should be true if you want to provision a Glue endpoint to the VPC |
bool
|
false
| no | | enable_ipv6 | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. |
bool
|
false
| no | | enable_kinesis_firehose_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC |
bool
|
false
| no | | enable_kinesis_streams_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC |
bool
|
false
| no | | enable_kms_endpoint | Should be true if you want to provision a KMS endpoint to the VPC |
bool
|
false
| no | | enable_lambda_endpoint | Should be true if you want to provision a Lambda endpoint to the VPC |
bool
|
false
| no | | enable_logs_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC |
bool
|
false
| no | | enable_monitoring_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC |
bool
|
false
| no | | enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks |
bool
|
false
| no | | enable_public_redshift | Controls if redshift should have public routing table |
bool
|
false
| no | | enable_public_s3_endpoint | Whether to enable S3 VPC Endpoint for public subnets |
bool
|
true
| no | | enable_qldb_session_endpoint | Should be true if you want to provision an QLDB Session endpoint to the VPC |
bool
|
false
| no | | enable_rds_endpoint | Should be true if you want to provision an RDS endpoint to the VPC |
bool
|
false
| no | | enable_rekognition_endpoint | Should be true if you want to provision a Rekognition endpoint to the VPC |
bool
|
false
| no | | enable_s3_endpoint | Should be true if you want to provision an S3 endpoint to the VPC |
bool
|
false
| no | | enable_sagemaker_api_endpoint | Should be true if you want to provision a SageMaker API endpoint to the VPC |
bool
|
false
| no | | enable_sagemaker_notebook_endpoint | Should be true if you want to provision a Sagemaker Notebook endpoint to the VPC |
bool
|
false
| no | | enable_sagemaker_runtime_endpoint | Should be true if you want to provision a SageMaker Runtime endpoint to the VPC |
bool
|
false
| no | | enable_secretsmanager_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC |
bool
|
false
| no | | enable_servicecatalog_endpoint | Should be true if you want to provision a Service Catalog endpoint to the VPC |
bool
|
false
| no | | enable_ses_endpoint | Should be true if you want to provision an SES endpoint to the VPC |
bool
|
false
| no | | enable_sms_endpoint | Should be true if you want to provision an SMS endpoint to the VPC |
bool
|
false
| no | | enable_sns_endpoint | Should be true if you want to provision a SNS endpoint to the VPC |
bool
|
false
| no | | enable_sqs_endpoint | Should be true if you want to provision an SQS endpoint to the VPC |
bool
|
false
| no | | enable_ssm_endpoint | Should be true if you want to provision an SSM endpoint to the VPC |
bool
|
false
| no | | enable_ssmmessages_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC |
bool
|
false
| no | | enable_states_endpoint | Should be true if you want to provision a Step Function endpoint to the VPC |
bool
|
false
| no | | enable_storagegateway_endpoint | Should be true if you want to provision a Storage Gateway endpoint to the VPC |
bool
|
false
| no | | enable_sts_endpoint | Should be true if you want to provision a STS endpoint to the VPC |
bool
|
false
| no | | enable_textract_endpoint | Should be true if you want to provision an Textract endpoint to the VPC |
bool
|
false
| no | | enable_transfer_endpoint | Should be true if you want to provision a Transfer endpoint to the VPC |
bool
|
false
| no | | enable_transferserver_endpoint | Should be true if you want to provision a Transfer Server endpoint to the VPC |
bool
|
false
| no | | enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC |
bool
|
false
| no | | enable_workspaces_endpoint | Should be true if you want to provision an Workspaces endpoint to the VPC |
bool
|
false
| no | | events_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | events_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint |
bool
|
false
| no | | events_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint |
list(string)
|
[]
| no | | events_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) |
list(string)
|
[]
| no | | external_nat_ips | List of EIPs to be used for
nat_public_ips
output (used in combination with reuse_nat_ips and external_nat_ip_ids) |
list(string)
|
[]
| no | | flow_log_cloudwatch_iam_role_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. |
string
|
""
| no | | flow_log_cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. |
string
|
null
| no | | flow_log_cloudwatch_log_group_name_prefix | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. |
string
|
"/aws/vpc-flow-log/"
| no | | flow_log_cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. |
number
|
null
| no | | flow_log_destination_arn | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided. |
string
|
""
| no | | flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs. |
string
|
"cloud-watch-logs"
| no | | flow_log_log_format | The fields to include in the flow log record, in the order in which they should appear. |
string
|
null
| no | | flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values:
60
seconds or
600
seconds. |
number
|
600
| no | | flow_log_traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. |
string
|
"ALL"
| no | | git_codecommit_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint |
bool
|
false
| no | | git_codecommit_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint |
list(string)
|
[]
| no | | git_codecommit_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | glue_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint |
bool
|
false
| no | | glue_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Glue endpoint |
list(string)
|
[]
| no | | glue_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | igw_tags | Additional tags for the internet gateway |
map(string)
|
{}
| no | | instance_tenancy | A tenancy option for instances launched into the VPC |
string
|
"default"
| no | | intra_acl_tags | Additional tags for the intra subnets network ACL |
map(string)
|
{}
| no | | intra_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets |
bool
|
false
| no | | intra_inbound_acl_rules | Intra subnets inbound network ACLs |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputintraoutboundaclrules"> intra_outbound_acl_rules | Intra subnets outbound network ACLs |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | intra_route_table_tags | Additional tags for the intra route tables |
map(string)
|
{}
| no | | intra_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | intra_subnet_ipv6_prefixes | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | intra_subnet_suffix | Suffix to append to intra subnets name |
string
|
"intra"
| no | | intra_subnet_tags | Additional tags for the intra subnets |
map(string)
|
{}
| no | | intra_subnets | A list of intra subnets |
list(string)
|
[]
| no | | kinesis_firehose_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | kinesis_firehose_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint |
bool
|
false
| no | | kinesis_firehose_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint |
list(string)
|
[]
| no | | kinesis_firehose_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | kinesis_streams_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | kinesis_streams_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint |
bool
|
false
| no | | kinesis_streams_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint |
list(string)
|
[]
| no | | kinesis_streams_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | kms_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | kms_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint |
bool
|
false
| no | | kms_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint |
list(string)
|
[]
| no | | kms_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | lambda_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint |
bool
|
false
| no | | lambda_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Lambda endpoint |
list(string)
|
[]
| no | | lambda_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | logs_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | logs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint |
bool
|
false
| no | | logs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint |
list(string)
|
[]
| no | | logs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | manage_default_network_acl | Should be true to adopt and manage Default Network ACL |
bool
|
false
| no | | manage_default_route_table | Should be true to manage default route table |
bool
|
false
| no | | manage_default_security_group | Should be true to adopt and manage default security group |
bool
|
false
| no | | manage_default_vpc | Should be true to adopt and manage Default VPC |
bool
|
false
| no | | map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch |
bool
|
true
| no | | monitoring_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | monitoring_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint |
bool
|
false
| no | | monitoring_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint |
list(string)
|
[]
| no | | monitoring_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | name | Name to be used on all the resources as identifier |
string
|
""
| no | | nat_eip_tags | Additional tags for the NAT EIP |
map(string)
|
{}
| no | | nat_gateway_tags | Additional tags for the NAT gateways |
map(string)
|
{}
| no | | one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires
var.azs
to be set, and the number of
public_subnets
created to be greater than or equal to the number of availability zones specified in
var.azs
. |
bool
|
false
| no | | outpost_acl_tags | Additional tags for the outpost subnets network ACL |
map(string)
|
{}
| no | | outpost_arn | ARN of Outpost you want to create a subnet in. |
string
|
null
| no | | outpost_az | AZ where Outpost is anchored. |
string
|
null
| no | | outpost_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for outpost subnets |
bool
|
false
| no | | outpost_inbound_acl_rules | Outpost subnets inbound network ACLs |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputoutpostoutboundaclrules"> outpost_outbound_acl_rules | Outpost subnets outbound network ACLs |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | outpost_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on outpost subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | outpost_subnet_ipv6_prefixes | Assigns IPv6 outpost subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | outpost_subnet_suffix | Suffix to append to outpost subnets name |
string
|
"outpost"
| no | | outpost_subnet_tags | Additional tags for the outpost subnets |
map(string)
|
{}
| no | | outpost_subnets | A list of outpost subnets inside the VPC |
list(string)
|
[]
| no | | private_acl_tags | Additional tags for the private subnets network ACL |
map(string)
|
{}
| no | | private_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets |
bool
|
false
| no | | private_inbound_acl_rules | Private subnets inbound network ACLs |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputprivateoutboundaclrules"> private_outbound_acl_rules | Private subnets outbound network ACLs |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | private_route_table_tags | Additional tags for the private route tables |
map(string)
|
{}
| no | | private_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | private_subnet_ipv6_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | private_subnet_suffix | Suffix to append to private subnets name |
string
|
"private"
| no | | private_subnet_tags | Additional tags for the private subnets |
map(string)
|
{}
| no | | private_subnets | A list of private subnets inside the VPC |
list(string)
|
[]
| no | | propagate_intra_route_tables_vgw | Should be true if you want route table propagation |
bool
|
false
| no | | propagate_private_route_tables_vgw | Should be true if you want route table propagation |
bool
|
false
| no | | propagate_public_route_tables_vgw | Should be true if you want route table propagation |
bool
|
false
| no | | public_acl_tags | Additional tags for the public subnets network ACL |
map(string)
|
{}
| no | | public_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets |
bool
|
false
| no | | public_inbound_acl_rules | Public subnets inbound network ACLs |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputpublicoutboundaclrules"> public_outbound_acl_rules | Public subnets outbound network ACLs |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | public_route_table_tags | Additional tags for the public route tables |
map(string)
|
{}
| no | | public_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | public_subnet_ipv6_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | public_subnet_suffix | Suffix to append to public subnets name |
string
|
"public"
| no | | public_subnet_tags | Additional tags for the public subnets |
map(string)
|
{}
| no | | public_subnets | A list of public subnets inside the VPC |
list(string)
|
[]
| no | | qldb_session_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint |
bool
|
false
| no | | qldb_session_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for QLDB Session endpoint |
list(string)
|
[]
| no | | qldb_session_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | rds_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint |
bool
|
false
| no | | rds_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for RDS endpoint |
list(string)
|
[]
| no | | rds_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | redshift_acl_tags | Additional tags for the redshift subnets network ACL |
map(string)
|
{}
| no | | redshift_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets |
bool
|
false
| no | | redshift_inbound_acl_rules | Redshift subnets inbound network ACL rules |
list(map(string))
|
[
{
"cidrblock": "0.0.0.0/0",
"from
port": 0,
"protocol": "-1",
"ruleaction": "allow",
"rule
number": 100,
"toport": 0
}
]
| no | | <a name="inputredshiftoutboundaclrules"> redshift_outbound_acl_rules | Redshift subnets outbound network ACL rules |
list(map(string))
|
[
{
"cidr
block": "0.0.0.0/0",
"fromport": 0,
"protocol": "-1",
"rule
action": "allow",
"rulenumber": 100,
"to
port": 0
}
] | no | | redshift_route_table_tags | Additional tags for the redshift route tables |
map(string)
|
{}
| no | | redshift_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch |
bool
|
null
| no | | redshift_subnet_group_tags | Additional tags for the redshift subnet group |
map(string)
|
{}
| no | | redshift_subnet_ipv6_prefixes | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list |
list(string)
|
[]
| no | | redshift_subnet_suffix | Suffix to append to redshift subnets name |
string
|
"redshift"
| no | | redshift_subnet_tags | Additional tags for the redshift subnets |
map(string)
|
{}
| no | | redshift_subnets | A list of redshift subnets |
list(string)
|
[]
| no | | rekognition_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | rekognition_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint |
bool
|
false
| no | | rekognition_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint |
list(string)
|
[]
| no | | rekognition_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable |
bool
|
false
| no | | s3_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | s3_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint |
bool
|
false
| no | | s3_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for S3 interface endpoint |
list(string)
|
[]
| no | | s3_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | s3_endpoint_type | S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later |
string
|
"Gateway"
| no | | sagemaker_api_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sagemaker_api_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint |
bool
|
false
| no | | sagemaker_api_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint |
list(string)
|
[]
| no | | sagemaker_api_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | sagemaker_notebook_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sagemaker_notebook_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint |
bool
|
false
| no | | sagemaker_notebook_endpoint_region | Region to use for Sagemaker Notebook endpoint |
string
|
""
| no | | sagemaker_notebook_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Sagemaker Notebook endpoint |
list(string)
|
[]
| no | | sagemaker_notebook_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Sagemaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | sagemaker_runtime_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sagemaker_runtime_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint |
bool
|
false
| no | | sagemaker_runtime_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint |
list(string)
|
[]
| no | | sagemaker_runtime_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool |
list(string)
|
[]
| no | | secretsmanager_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | secretsmanager_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint |
bool
|
false
| no | | secretsmanager_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint |
list(string)
|
[]
| no | | secretsmanager_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | servicecatalog_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint |
bool
|
false
| no | | servicecatalog_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Service Catalog endpoint |
list(string)
|
[]
| no | | servicecatalog_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ses_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SES endpoint |
bool
|
false
| no | | ses_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SES endpoint |
list(string)
|
[]
| no | | ses_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks |
bool
|
false
| no | | sms_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint |
bool
|
false
| no | | sms_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SMS endpoint |
list(string)
|
[]
| no | | sms_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no | | sns_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sns_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint |
bool
|
false
| no | | sns_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint |
list(string)
|
[]
| no | | sns_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | sqs_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sqs_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint |
bool
|
false
| no | | sqs_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint |
list(string)
|
[]
| no | | sqs_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ssm_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint |
bool
|
false
| no | | ssm_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint |
list(string)
|
[]
| no | | ssm_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | ssmmessages_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint |
bool
|
false
| no | | ssmmessages_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint |
list(string)
|
[]
| no | | ssmmessages_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | states_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | states_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint |
bool
|
false
| no | | states_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Step Function endpoint |
list(string)
|
[]
| no | | states_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | storagegateway_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint |
bool
|
false
| no | | storagegateway_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint |
list(string)
|
[]
| no | | storagegateway_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | sts_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | sts_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for STS endpoint |
bool
|
false
| no | | sts_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for STS endpoint |
list(string)
|
[]
| no | | sts_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | tags | A map of tags to add to all resources |
map(string)
|
{}
| no | | textract_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Textract endpoint |
bool
|
false
| no | | textract_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Textract endpoint |
list(string)
|
[]
| no | | textract_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Textract endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | transfer_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint |
bool
|
false
| no | | transfer_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Transfer endpoint |
list(string)
|
[]
| no | | transfer_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | transferserver_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint |
bool
|
false
| no | | transferserver_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint |
list(string)
|
[]
| no | | transferserver_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. |
list(string)
|
[]
| no | | vpc_endpoint_tags | Additional tags for the VPC Endpoints |
map(string)
|
{}
| no | | vpc_flow_log_permissions_boundary | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role |
string
|
null
| no | | vpc_flow_log_tags | Additional tags for the VPC Flow Logs |
map(string)
|
{}
| no | | vpc_tags | Additional tags for the VPC |
map(string)
|
{}
| no | | vpn_gateway_az | The Availability Zone for the VPN Gateway |
string
|
null
| no | | vpn_gateway_id | ID of VPN Gateway to attach to the VPC |
string
|
""
| no | | vpn_gateway_tags | Additional tags for the VPN gateway |
map(string)
|
{}
| no | | workspaces_endpoint_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access |
string
|
null
| no | | workspaces_endpoint_private_dns_enabled | Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint |
bool
|
false
| no | | workspaces_endpoint_security_group_ids | The ID of one or more security groups to associate with the network interface for Workspaces endpoint |
list(string)
|
[]
| no | | workspaces_endpoint_subnet_ids | The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. |
list(string)
|
[]
| no |

Outputs

| Name | Description | |------|-------------| | azs | A list of availability zones specified as argument to this module | | cgw_arns | List of ARNs of Customer Gateway | | cgw_ids | List of IDs of Customer Gateway | | database_internet_gateway_route_id | ID of the database internet gateway route. | | database_ipv6_egress_route_id | ID of the database IPv6 egress route. | | database_nat_gateway_route_ids | List of IDs of the database nat gateway route. | | database_network_acl_arn | ARN of the database network ACL | | database_network_acl_id | ID of the database network ACL | | database_route_table_association_ids | List of IDs of the database route table association | | database_route_table_ids | List of IDs of database route tables | | database_subnet_arns | List of ARNs of database subnets | | database_subnet_group | ID of database subnet group | | database_subnet_group_name | Name of database subnet group | | database_subnets | List of IDs of database subnets | | database_subnets_cidr_blocks | List of cidr_blocks of database subnets | | database_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of database subnets in an IPv6 enabled VPC | | default_network_acl_id | The ID of the default network ACL | | default_route_table_id | The ID of the default route table | | default_security_group_id | The ID of the security group created by default on VPC creation | | default_vpc_arn | The ARN of the Default VPC | | default_vpc_cidr_block | The CIDR block of the Default VPC | | default_vpc_default_network_acl_id | The ID of the default network ACL of the Default VPC | | default_vpc_default_route_table_id | The ID of the default route table of the Default VPC | | default_vpc_default_security_group_id | The ID of the security group created by default on Default VPC creation | | default_vpc_enable_dns_hostnames | Whether or not the Default VPC has DNS hostname support | | default_vpc_enable_dns_support | Whether or not the Default VPC has DNS support | | default_vpc_id | The ID of the Default VPC | | default_vpc_instance_tenancy | Tenancy of instances spin up within Default VPC | | default_vpc_main_route_table_id | The ID of the main route table associated with the Default VPC | | egress_only_internet_gateway_id | The ID of the egress only Internet Gateway | | elasticache_network_acl_arn | ARN of the elasticache network ACL | | elasticache_network_acl_id | ID of the elasticache network ACL | | elasticache_route_table_association_ids | List of IDs of the elasticache route table association | | elasticache_route_table_ids | List of IDs of elasticache route tables | | elasticache_subnet_arns | List of ARNs of elasticache subnets | | elasticache_subnet_group | ID of elasticache subnet group | | elasticache_subnet_group_name | Name of elasticache subnet group | | elasticache_subnets | List of IDs of elasticache subnets | | elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets | | elasticache_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of elasticache subnets in an IPv6 enabled VPC | | igw_arn | The ARN of the Internet Gateway | | igw_id | The ID of the Internet Gateway | | intra_network_acl_arn | ARN of the intra network ACL | | intra_network_acl_id | ID of the intra network ACL | | intra_route_table_association_ids | List of IDs of the intra route table association | | intra_route_table_ids | List of IDs of intra route tables | | intra_subnet_arns | List of ARNs of intra subnets | | intra_subnets | List of IDs of intra subnets | | intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets | | intra_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of intra subnets in an IPv6 enabled VPC | | name | The name of the VPC specified as argument to this module | | nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw_ids | List of NAT Gateway IDs | | outpost_network_acl_arn | ARN of the outpost network ACL | | outpost_network_acl_id | ID of the outpost network ACL | | outpost_subnet_arns | List of ARNs of outpost subnets | | outpost_subnets | List of IDs of outpost subnets | | outpost_subnets_cidr_blocks | List of cidr_blocks of outpost subnets | | outpost_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of outpost subnets in an IPv6 enabled VPC | | private_ipv6_egress_route_ids | List of IDs of the ipv6 egress route. | | private_nat_gateway_route_ids | List of IDs of the private nat gateway route. | | private_network_acl_arn | ARN of the private network ACL | | private_network_acl_id | ID of the private network ACL | | private_route_table_association_ids | List of IDs of the private route table association | | private_route_table_ids | List of IDs of private route tables | | private_subnet_arns | List of ARNs of private subnets | | private_subnets | List of IDs of private subnets | | private_subnets_cidr_blocks | List of cidr_blocks of private subnets | | private_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC | | public_internet_gateway_ipv6_route_id | ID of the IPv6 internet gateway route. | | public_internet_gateway_route_id | ID of the internet gateway route. | | public_network_acl_arn | ARN of the public network ACL | | public_network_acl_id | ID of the public network ACL | | public_route_table_association_ids | List of IDs of the public route table association | | public_route_table_ids | List of IDs of public route tables | | public_subnet_arns | List of ARNs of public subnets | | public_subnets | List of IDs of public subnets | | public_subnets_cidr_blocks | List of cidr_blocks of public subnets | | public_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC | | redshift_network_acl_arn | ARN of the redshift network ACL | | redshift_network_acl_id | ID of the redshift network ACL | | redshift_public_route_table_association_ids | List of IDs of the public redshidt route table association | | redshift_route_table_association_ids | List of IDs of the redshift route table association | | redshift_route_table_ids | List of IDs of redshift route tables | | redshift_subnet_arns | List of ARNs of redshift subnets | | redshift_subnet_group | ID of redshift subnet group | | redshift_subnets | List of IDs of redshift subnets | | redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets | | redshift_subnets_ipv6_cidr_blocks | List of IPv6 cidr_blocks of redshift subnets in an IPv6 enabled VPC | | this_customer_gateway | Map of Customer Gateway attributes | | vgw_arn | The ARN of the VPN Gateway | | vgw_id | The ID of the VPN Gateway | | vpc_arn | The ARN of the VPC | | vpc_cidr_block | The CIDR block of the VPC | | vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support | | vpc_enable_dns_support | Whether or not the VPC has DNS support | | vpc_endpoint_access_analyzer_dns_entry | The DNS entries for the VPC Endpoint for Access Analyzer. | | vpc_endpoint_access_analyzer_id | The ID of VPC endpoint for Access Analyzer | | vpc_endpoint_access_analyzer_network_interface_ids | One or more network interfaces for the VPC Endpoint for Access Analyzer. | | vpc_endpoint_acm_pca_dns_entry | The DNS entries for the VPC Endpoint for ACM PCA. | | vpc_endpoint_acm_pca_id | The ID of VPC endpoint for ACM PCA | | vpc_endpoint_acm_pca_network_interface_ids | One or more network interfaces for the VPC Endpoint for ACM PCA. | | vpc_endpoint_apigw_dns_entry | The DNS entries for the VPC Endpoint for APIGW. | | vpc_endpoint_apigw_id | The ID of VPC endpoint for APIGW | | vpc_endpoint_apigw_network_interface_ids | One or more network interfaces for the VPC Endpoint for APIGW. | | vpc_endpoint_appmesh_envoy_management_dns_entry | The DNS entries for the VPC Endpoint for AppMesh. | | vpc_endpoint_appmesh_envoy_management_id | The ID of VPC endpoint for AppMesh | | vpc_endpoint_appmesh_envoy_management_network_interface_ids | One or more network interfaces for the VPC Endpoint for AppMesh. | | vpc_endpoint_appstream_api_dns_entry | The DNS entries for the VPC Endpoint for AppStream API. | | vpc_endpoint_appstream_api_id | The ID of VPC endpoint for AppStream API | | vpc_endpoint_appstream_api_network_interface_ids | One or more network interfaces for the VPC Endpoint for AppStream API. | | vpc_endpoint_appstream_streaming_dns_entry | The DNS entries for the VPC Endpoint for AppStream Streaming. | | vpc_endpoint_appstream_streaming_id | The ID of VPC endpoint for AppStream Streaming | | vpc_endpoint_appstream_streaming_network_interface_ids | One or more network interfaces for the VPC Endpoint for AppStream Streaming. | | vpc_endpoint_athena_dns_entry | The DNS entries for the VPC Endpoint for Athena. | | vpc_endpoint_athena_id | The ID of VPC endpoint for Athena | | vpc_endpoint_athena_network_interface_ids | One or more network interfaces for the VPC Endpoint for Athena. | | vpc_endpoint_auto_scaling_plans_dns_entry | The DNS entries for the VPC Endpoint for Auto Scaling Plans. | | vpc_endpoint_auto_scaling_plans_id | The ID of VPC endpoint for Auto Scaling Plans | | vpc_endpoint_auto_scaling_plans_network_interface_ids | One or more network interfaces for the VPC Endpoint for Auto Scaling Plans. | | vpc_endpoint_cloud_directory_dns_entry | The DNS entries for the VPC Endpoint for Cloud Directory. | | vpc_endpoint_cloud_directory_id | The ID of VPC endpoint for Cloud Directory | | vpc_endpoint_cloud_directory_network_interface_ids | One or more network interfaces for the VPC Endpoint for Cloud Directory. | | vpc_endpoint_cloudformation_dns_entry | The DNS entries for the VPC Endpoint for Cloudformation. | | vpc_endpoint_cloudformation_id | The ID of VPC endpoint for Cloudformation | | vpc_endpoint_cloudformation_network_interface_ids | One or more network interfaces for the VPC Endpoint for Cloudformation. | | vpc_endpoint_cloudtrail_dns_entry | The DNS entries for the VPC Endpoint for CloudTrail. | | vpc_endpoint_cloudtrail_id | The ID of VPC endpoint for CloudTrail | | vpc_endpoint_cloudtrail_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | | vpc_endpoint_codeartifact_api_dns_entry | The DNS entries for the VPC Endpoint for Codeartifact API. | | vpc_endpoint_codeartifact_api_id | The ID of VPC endpoint for Codeartifact API | | vpc_endpoint_codeartifact_api_network_interface_ids | One or more network interfaces for the VPC Endpoint for Codeartifact API. | | vpc_endpoint_codeartifact_repositories_dns_entry | The DNS entries for the VPC Endpoint for Codeartifact repositories. | | vpc_endpoint_codeartifact_repositories_id | The ID of VPC endpoint for Codeartifact repositories | | vpc_endpoint_codeartifact_repositories_network_interface_ids | One or more network interfaces for the VPC Endpoint for Codeartifact repositories. | | vpc_endpoint_codebuild_dns_entry | The DNS entries for the VPC Endpoint for codebuild. | | vpc_endpoint_codebuild_id | The ID of VPC endpoint for codebuild | | vpc_endpoint_codebuild_network_interface_ids | One or more network interfaces for the VPC Endpoint for codebuild. | | vpc_endpoint_codecommit_dns_entry | The DNS entries for the VPC Endpoint for codecommit. | | vpc_endpoint_codecommit_id | The ID of VPC endpoint for codecommit | | vpc_endpoint_codecommit_network_interface_ids | One or more network interfaces for the VPC Endpoint for codecommit. | | vpc_endpoint_codepipeline_dns_entry | The DNS entries for the VPC Endpoint for CodePipeline. | | vpc_endpoint_codepipeline_id | The ID of VPC endpoint for CodePipeline | | vpc_endpoint_codepipeline_network_interface_ids | One or more network interfaces for the VPC Endpoint for CodePipeline. | | vpc_endpoint_config_dns_entry | The DNS entries for the VPC Endpoint for config. | | vpc_endpoint_config_id | The ID of VPC endpoint for config | | vpc_endpoint_config_network_interface_ids | One or more network interfaces for the VPC Endpoint for config. | | vpc_endpoint_datasync_dns_entry | The DNS entries for the VPC Endpoint for DataSync. | | vpc_endpoint_datasync_id | The ID of VPC endpoint for DataSync | | vpc_endpoint_datasync_network_interface_ids | One or more network interfaces for the VPC Endpoint for DataSync. | | vpc_endpoint_dms_dns_entry | The DNS entries for the VPC Endpoint for DMS. | | vpc_endpoint_dms_id | The ID of VPC endpoint for DMS | | vpc_endpoint_dms_network_interface_ids | One or more network interfaces for the VPC Endpoint for DMS. | | vpc_endpoint_dynamodb_id | The ID of VPC endpoint for DynamoDB | | vpc_endpoint_dynamodb_pl_id | The prefix list for the DynamoDB VPC endpoint. | | vpc_endpoint_ebs_dns_entry | The DNS entries for the VPC Endpoint for EBS. | | vpc_endpoint_ebs_id | The ID of VPC endpoint for EBS | | vpc_endpoint_ebs_network_interface_ids | One or more network interfaces for the VPC Endpoint for EBS. | | vpc_endpoint_ec2_autoscaling_dns_entry | The DNS entries for the VPC Endpoint for EC2 Autoscaling. | | vpc_endpoint_ec2_autoscaling_id | The ID of VPC endpoint for EC2 Autoscaling | | vpc_endpoint_ec2_autoscaling_network_interface_ids | One or more network interfaces for the VPC Endpoint for EC2 Autoscaling | | vpc_endpoint_ec2_dns_entry | The DNS entries for the VPC Endpoint for EC2. | | vpc_endpoint_ec2_id | The ID of VPC endpoint for EC2 | | vpc_endpoint_ec2_network_interface_ids | One or more network interfaces for the VPC Endpoint for EC2 | | vpc_endpoint_ec2messages_dns_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. | | vpc_endpoint_ec2messages_id | The ID of VPC endpoint for EC2MESSAGES | | vpc_endpoint_ec2messages_network_interface_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES | | vpc_endpoint_ecr_api_dns_entry | The DNS entries for the VPC Endpoint for ECR API. | | vpc_endpoint_ecr_api_id | The ID of VPC endpoint for ECR API | | vpc_endpoint_ecr_api_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECR API. | | vpc_endpoint_ecr_dkr_dns_entry | The DNS entries for the VPC Endpoint for ECR DKR. | | vpc_endpoint_ecr_dkr_id | The ID of VPC endpoint for ECR DKR | | vpc_endpoint_ecr_dkr_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. | | vpc_endpoint_ecs_agent_dns_entry | The DNS entries for the VPC Endpoint for ECS Agent. | | vpc_endpoint_ecs_agent_id | The ID of VPC endpoint for ECS Agent | | vpc_endpoint_ecs_agent_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. | | vpc_endpoint_ecs_dns_entry | The DNS entries for the VPC Endpoint for ECS. | | vpc_endpoint_ecs_id | The ID of VPC endpoint for ECS | | vpc_endpoint_ecs_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS. | | vpc_endpoint_ecs_telemetry_dns_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | | vpc_endpoint_ecs_telemetry_id | The ID of VPC endpoint for ECS Telemetry | | vpc_endpoint_ecs_telemetry_network_interface_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | | vpc_endpoint_efs_dns_entry | The DNS entries for the VPC Endpoint for EFS. | | vpc_endpoint_efs_id | The ID of VPC endpoint for EFS | | vpc_endpoint_efs_network_interface_ids | One or more network interfaces for the VPC Endpoint for EFS. | | vpc_endpoint_elastic_inference_runtime_dns_entry | The DNS entries for the VPC Endpoint for Elastic Inference Runtime. | | vpc_endpoint_elastic_inference_runtime_id | The ID of VPC endpoint for Elastic Inference Runtime | | vpc_endpoint_elastic_inference_runtime_network_interface_ids | One or more network interfaces for the VPC Endpoint for Elastic Inference Runtime. | | vpc_endpoint_elasticbeanstalk_dns_entry | The DNS entries for the VPC Endpoint for Elastic Beanstalk. | | vpc_endpoint_elasticbeanstalk_health_dns_entry | The DNS entries for the VPC Endpoint for Elastic Beanstalk Health. | | vpc_endpoint_elasticbeanstalk_health_id | The ID of VPC endpoint for Elastic Beanstalk Health | | vpc_endpoint_elasticbeanstalk_health_network_interface_ids | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk Health. | | vpc_endpoint_elasticbeanstalk_id | The ID of VPC endpoint for Elastic Beanstalk | | vpc_endpoint_elasticbeanstalk_network_interface_ids | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk. | | vpc_endpoint_elasticloadbalancing_dns_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. | | vpc_endpoint_elasticloadbalancing_id | The ID of VPC endpoint for Elastic Load Balancing | | vpc_endpoint_elasticloadbalancing_network_interface_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. | | vpc_endpoint_elasticmapreduce_dns_entry | The DNS entries for the VPC Endpoint for EMR. | | vpc_endpoint_elasticmapreduce_id | The ID of VPC endpoint for EMR | | vpc_endpoint_elasticmapreduce_network_interface_ids | One or more network interfaces for the VPC Endpoint for EMR. | | vpc_endpoint_events_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | | vpc_endpoint_events_id | The ID of VPC endpoint for CloudWatch Events | | vpc_endpoint_events_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | | vpc_endpoint_git_codecommit_dns_entry | The DNS entries for the VPC Endpoint for git_codecommit. | | vpc_endpoint_git_codecommit_id | The ID of VPC endpoint for git_codecommit | | vpc_endpoint_git_codecommit_network_interface_ids | One or more network interfaces for the VPC Endpoint for git_codecommit. | | vpc_endpoint_glue_dns_entry | The DNS entries for the VPC Endpoint for Glue. | | vpc_endpoint_glue_id | The ID of VPC endpoint for Glue | | vpc_endpoint_glue_network_interface_ids | One or more network interfaces for the VPC Endpoint for Glue. | | vpc_endpoint_kinesis_firehose_dns_entry | The DNS entries for the VPC Endpoint for Kinesis Firehose. | | vpc_endpoint_kinesis_firehose_id | The ID of VPC endpoint for Kinesis Firehose | | vpc_endpoint_kinesis_firehose_network_interface_ids | One or more network interfaces for the VPC Endpoint for Kinesis Firehose. | | vpc_endpoint_kinesis_streams_dns_entry | The DNS entries for the VPC Endpoint for Kinesis Streams. | | vpc_endpoint_kinesis_streams_id | The ID of VPC endpoint for Kinesis Streams | | vpc_endpoint_kinesis_streams_network_interface_ids | One or more network interfaces for the VPC Endpoint for Kinesis Streams. | | vpc_endpoint_kms_dns_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc_endpoint_kms_id | The ID of VPC endpoint for KMS | | vpc_endpoint_kms_network_interface_ids | One or more network interfaces for the VPC Endpoint for KMS. | | vpc_endpoint_lambda_dns_entry | The DNS entries for the VPC Endpoint for Lambda. | | vpc_endpoint_lambda_id | The ID of VPC endpoint for Lambda | | vpc_endpoint_lambda_network_interface_ids | One or more network interfaces for the VPC Endpoint for Lambda. | | vpc_endpoint_logs_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. | | vpc_endpoint_logs_id | The ID of VPC endpoint for CloudWatch Logs | | vpc_endpoint_logs_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | | vpc_endpoint_monitoring_dns_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. | | vpc_endpoint_monitoring_id | The ID of VPC endpoint for CloudWatch Monitoring | | vpc_endpoint_monitoring_network_interface_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | | vpc_endpoint_qldb_session_dns_entry | The DNS entries for the VPC Endpoint for QLDB Session. | | vpc_endpoint_qldb_session_id | The ID of VPC endpoint for QLDB Session | | vpc_endpoint_qldb_session_network_interface_ids | One or more network interfaces for the VPC Endpoint for QLDB Session. | | vpc_endpoint_rds_dns_entry | The DNS entries for the VPC Endpoint for RDS. | | vpc_endpoint_rds_id | The ID of VPC endpoint for RDS | | vpc_endpoint_rds_network_interface_ids | One or more network interfaces for the VPC Endpoint for RDS. | | vpc_endpoint_rekognition_dns_entry | The DNS entries for the VPC Endpoint for Rekognition. | | vpc_endpoint_rekognition_id | The ID of VPC endpoint for Rekognition | | vpc_endpoint_rekognition_network_interface_ids | One or more network interfaces for the VPC Endpoint for Rekognition. | | vpc_endpoint_s3_id | The ID of VPC endpoint for S3 | | vpc_endpoint_s3_pl_id | The prefix list for the S3 VPC endpoint. | | vpc_endpoint_sagemaker_api_dns_entry | The DNS entries for the VPC Endpoint for SageMaker API. | | vpc_endpoint_sagemaker_api_id | The ID of VPC endpoint for SageMaker API | | vpc_endpoint_sagemaker_api_network_interface_ids | One or more network interfaces for the VPC Endpoint for SageMaker API. | | vpc_endpoint_sagemaker_runtime_dns_entry | The DNS entries for the VPC Endpoint for SageMaker Runtime. | | vpc_endpoint_sagemaker_runtime_id | The ID of VPC endpoint for SageMaker Runtime | | vpc_endpoint_sagemaker_runtime_network_interface_ids | One or more network interfaces for the VPC Endpoint for SageMaker Runtime. | | vpc_endpoint_secretsmanager_dns_entry | The DNS entries for the VPC Endpoint for secretsmanager. | | vpc_endpoint_secretsmanager_id | The ID of VPC endpoint for secretsmanager | | vpc_endpoint_secretsmanager_network_interface_ids | One or more network interfaces for the VPC Endpoint for secretsmanager. | | vpc_endpoint_servicecatalog_dns_entry | The DNS entries for the VPC Endpoint for Service Catalog. | | vpc_endpoint_servicecatalog_id | The ID of VPC endpoint for Service Catalog | | vpc_endpoint_servicecatalog_network_interface_ids | One or more network interfaces for the VPC Endpoint for Service Catalog. | | vpc_endpoint_ses_dns_entry | The DNS entries for the VPC Endpoint for SES. | | vpc_endpoint_ses_id | The ID of VPC endpoint for SES | | vpc_endpoint_ses_network_interface_ids | One or more network interfaces for the VPC Endpoint for SES. | | vpc_endpoint_sms_dns_entry | The DNS entries for the VPC Endpoint for SMS. | | vpc_endpoint_sms_id | The ID of VPC endpoint for SMS | | vpc_endpoint_sms_network_interface_ids | One or more network interfaces for the VPC Endpoint for SMS. | | vpc_endpoint_sns_dns_entry | The DNS entries for the VPC Endpoint for SNS. | | vpc_endpoint_sns_id | The ID of VPC endpoint for SNS | | vpc_endpoint_sns_network_interface_ids | One or more network interfaces for the VPC Endpoint for SNS. | | vpc_endpoint_sqs_dns_entry | The DNS entries for the VPC Endpoint for SQS. | | vpc_endpoint_sqs_id | The ID of VPC endpoint for SQS | | vpc_endpoint_sqs_network_interface_ids | One or more network interfaces for the VPC Endpoint for SQS. | | vpc_endpoint_ssm_dns_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc_endpoint_ssm_id | The ID of VPC endpoint for SSM | | vpc_endpoint_ssm_network_interface_ids | One or more network interfaces for the VPC Endpoint for SSM. | | vpc_endpoint_ssmmessages_dns_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc_endpoint_ssmmessages_id | The ID of VPC endpoint for SSMMESSAGES | | vpc_endpoint_ssmmessages_network_interface_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | | vpc_endpoint_states_dns_entry | The DNS entries for the VPC Endpoint for Step Function. | | vpc_endpoint_states_id | The ID of VPC endpoint for Step Function | | vpc_endpoint_states_network_interface_ids | One or more network interfaces for the VPC Endpoint for Step Function. | | vpc_endpoint_storagegateway_dns_entry | The DNS entries for the VPC Endpoint for Storage Gateway. | | vpc_endpoint_storagegateway_id | The ID of VPC endpoint for Storage Gateway | | vpc_endpoint_storagegateway_network_interface_ids | One or more network interfaces for the VPC Endpoint for Storage Gateway. | | vpc_endpoint_sts_dns_entry | The DNS entries for the VPC Endpoint for STS. | | vpc_endpoint_sts_id | The ID of VPC endpoint for STS | | vpc_endpoint_sts_network_interface_ids | One or more network interfaces for the VPC Endpoint for STS. | | vpc_endpoint_textract_dns_entry | The DNS entries for the VPC Endpoint for Textract. | | vpc_endpoint_textract_id | The ID of VPC endpoint for Textract | | vpc_endpoint_textract_network_interface_ids | One or more network interfaces for the VPC Endpoint for Textract. | | vpc_endpoint_transfer_dns_entry | The DNS entries for the VPC Endpoint for Transfer. | | vpc_endpoint_transfer_id | The ID of VPC endpoint for Transfer | | vpc_endpoint_transfer_network_interface_ids | One or more network interfaces for the VPC Endpoint for Transfer. | | vpc_endpoint_transferserver_dns_entry | The DNS entries for the VPC Endpoint for transferserver. | | vpc_endpoint_transferserver_id | The ID of VPC endpoint for transferserver | | vpc_endpoint_transferserver_network_interface_ids | One or more network interfaces for the VPC Endpoint for transferserver | | vpc_endpoint_workspaces_dns_entry | The DNS entries for the VPC Endpoint for Workspaces. | | vpc_endpoint_workspaces_id | The ID of VPC endpoint for Workspaces | | vpc_endpoint_workspaces_network_interface_ids | One or more network interfaces for the VPC Endpoint for Workspaces. | | vpc_flow_log_cloudwatch_iam_role_arn | The ARN of the IAM role used when pushing logs to Cloudwatch log group | | vpc_flow_log_destination_arn | The ARN of the destination for VPC Flow Logs | | vpc_flow_log_destination_type | The type of the destination for VPC Flow Logs | | vpc_flow_log_id | The ID of the Flow Log resource | | vpc_id | The ID of the VPC | | vpc_instance_tenancy | Tenancy of instances spin up within VPC | | vpc_ipv6_association_id | The association ID for the IPv6 CIDR block | | vpc_ipv6_cidr_block | The IPv6 CIDR block | | vpc_main_route_table_id | The ID of the main route table associated with this VPC | | vpc_owner_id | The ID of the AWS account that owns the VPC | | vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC | <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.