### Terraform: String Input Example Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Shows examples of string input variables for Terraform. These can include specifying subnet names, DNS hostname types, or suffixes for resource naming. The `null` value indicates that no specific value has been set, allowing for defaults or dynamic generation. ```json { "public_subnet_private_dns_hostname_type_on_launch": null, "public_subnet_suffix": "public" } ``` -------------------------------- ### Terraform: Map of Maps of Strings Input Example Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Shows an example of a nested map structure for input variables in Terraform. This specific structure is used for applying tags to public subnets on a per-availability zone basis, allowing for more granular tagging control. ```json { "public_subnet_tags_per_az": {} } ``` -------------------------------- ### Initialize, Plan, and Apply Terraform Configuration Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/flow-log/README.md Standard Terraform commands to initialize the project, view the execution plan, and apply the configuration to create AWS resources. These commands are essential for deploying the VPC Flow Log setup. ```bash terraform init terraform plan terraform apply ``` -------------------------------- ### Terraform: AWS VPC Module Configuration (Issue 108) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/issues/README.md This Terraform configuration utilizes the AWS VPC module to create VPC resources, specifically addressing issue 108. It defines requirements for Terraform and the AWS provider and uses a data source to get available AWS availability zones. The configuration outputs various subnet IDs and the VPC ID. ```hcl terraform { required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" version = ">= 6.0" } } } provider "aws" { version = ">= 6.0" } data "aws_availability_zones" "available" {} module "vpc_issue_108" { source = "../../" } output "issue_108_vpc_id" { description = "The ID of the VPC" value = module.vpc_issue_108.vpc_id } output "issue_108_public_subnets" { description = "List of IDs of public subnets" value = module.vpc_issue_108.public_subnets } output "issue_108_private_subnets" { description = "List of IDs of private subnets" value = module.vpc_issue_108.private_subnets } output "issue_108_database_subnets" { description = "List of IDs of database subnets" value = module.vpc_issue_108.database_subnets } output "issue_108_elasticache_subnets" { description = "List of IDs of elasticache subnets" value = module.vpc_issue_108.elasticache_subnets } output "issue_108_nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = module.vpc_issue_108.nat_public_ips } ``` -------------------------------- ### Terraform: List of Strings Input Example Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Demonstrates the use of a list of strings for input variables in Terraform. This is commonly used for specifying IPv6 prefixes for subnets or explicit names for public subnets. An empty list `[]` signifies no values are provided. ```json { "public_subnet_ipv6_prefixes": [], "public_subnet_names": [] } ``` -------------------------------- ### Basic VPC Creation with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This example demonstrates the fundamental usage of the AWS VPC Terraform module to create a new VPC with specified CIDR blocks, availability zones, private and public subnets, and enables NAT and VPN gateways. It also includes basic tags for environment and Terraform status. ```hcl module "vpc" { source = "terraform-aws-modules/vpc/aws" name = "my-vpc" cidr = "10.0.0.0/16" azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] enable_nat_gateway = true enable_vpn_gateway = true tags = { Terraform = "true" Environment = "dev" } } ``` -------------------------------- ### Terraform: List of Strings Input for Public Subnets Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Provides an example of a list of strings input for defining public subnets within a VPC. An empty list `[]` is used when no specific public subnets are defined by default, allowing the module to create them based on other configurations. ```json { "public_subnets": [] } ``` -------------------------------- ### Terraform: Map of Strings Input Example Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Illustrates the use of a map of strings for input variables in Terraform. This is typically used for applying additional tags to various resources like route tables or subnets. An empty map `{}` indicates no additional tags are applied by default. ```json { "public_route_table_tags": {}, "public_subnet_tags": {}, "redshift_acl_tags": {} } ``` -------------------------------- ### Terraform: Boolean Input Example Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Illustrates the use of boolean input variables in Terraform. These variables are used to enable or disable specific features, such as assigning IPv6 addresses on creation, enabling DNS64, or assigning DNS A/AAAA records on launch. The default values are often provided. ```json { "public_subnet_assign_ipv6_address_on_creation": false, "public_subnet_enable_dns64": true, "public_subnet_enable_resource_name_dns_a_record_on_launch": false, "public_subnet_enable_resource_name_dns_aaaa_record_on_launch": true, "public_subnet_ipv6_native": false } ``` -------------------------------- ### Terraform: AWS VPC Module Configuration (Issue 44) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/issues/README.md This Terraform configuration employs the AWS VPC module to provision VPC resources, addressing issue 44. It specifies Terraform and AWS provider requirements and uses a data source for availability zones. The output includes essential VPC and subnet identifiers. ```hcl terraform { required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" version = ">= 6.0" } } } provider "aws" { version = ">= 6.0" } data "aws_availability_zones" "available" {} module "vpc_issue_44" { source = "../../" } output "issue_44_vpc_id" { description = "The ID of the VPC" value = module.vpc_issue_44.vpc_id } output "issue_44_public_subnets" { description = "List of IDs of public subnets" value = module.vpc_issue_44.public_subnets } output "issue_44_private_subnets" { description = "List of IDs of private subnets" value = module.vpc_issue_44.private_subnets } output "issue_44_database_subnets" { description = "List of IDs of database subnets" value = module.vpc_issue_44.database_subnets } output "issue_44_elasticache_subnets" { description = "List of IDs of elasticache subnets" value = module.vpc_issue_44.elasticache_subnets } output "issue_44_nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = module.vpc_issue_44.nat_public_ips } ``` -------------------------------- ### Terraform State Move for VPC Endpoints Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/docs/UPGRADE-3.0.md Commands to migrate existing VPC endpoint resources to the new sub-module structure when upgrading from v2.x to v3.x. This involves moving the state of individual endpoint resources. ```terraform terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]' terraform state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]' terraform state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]' ``` -------------------------------- ### Terraform: AWS VPC Module Configuration (Issue 46) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/issues/README.md This Terraform configuration leverages the AWS VPC module to provision VPC resources, addressing issue 46. It specifies requirements for Terraform and the AWS provider and includes a data source for availability zones. The configuration outputs essential VPC and subnet identifiers. ```hcl terraform { required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" version = ">= 6.0" } } } provider "aws" { version = ">= 6.0" } data "aws_availability_zones" "available" {} module "vpc_issue_46" { source = "../../" } output "issue_46_vpc_id" { description = "The ID of the VPC" value = module.vpc_issue_46.vpc_id } output "issue_46_public_subnets" { description = "List of IDs of public subnets" value = module.vpc_issue_46.public_subnets } output "issue_46_private_subnets" { description = "List of IDs of private subnets" value = module.vpc_issue_46.private_subnets } output "issue_46_database_subnets" { description = "List of IDs of database subnets" value = module.vpc_issue_46.database_subnets } output "issue_46_elasticache_subnets" { description = "List of IDs of elasticache subnets" value = module.vpc_issue_46.elasticache_subnets } output "issue_46_nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = module.vpc_issue_46.nat_public_ips } ``` -------------------------------- ### Terraform: Database Inbound Network ACL Rules Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the inbound network ACL rules for database subnets. Supports specifying CIDR blocks, ports, protocols, and rule actions. An example is provided for allowing all traffic. ```Terraform { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ``` -------------------------------- ### Retrieve AWS VPC IPAM Pool and Preview CIDR Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This example demonstrates how to obtain a VPC CIDR from an AWS IPAM pool. It involves looking up the IPAM pool using filters and then previewing the next available CIDR block with a specified netmask length. This is necessary because the module cannot dynamically derive the CIDR from IPAM during plan time. ```hcl # Find the pool RAM shared to your account # Info on RAM sharing pools: https://docs.aws.amazon.com/vpc/latest/ipam/share-pool-ipam.html data "aws_vpc_ipam_pool" "ipv4_example" { filter { name = "description" values = ["*mypool*"] } filter { name = "address-family" values = ["ipv4"] } } # Preview next CIDR from pool data "aws_vpc_ipam_preview_next_cidr" "previewed_cidr" { ipam_pool_id = data.aws_vpc_ipam_pool.ipv4_example.id netmask_length = 24 } data "aws_region" "current" {} ``` -------------------------------- ### Terraform: Example Public Outbound ACL Rule Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This snippet demonstrates the structure for defining outbound network ACL rules for public subnets. It specifies parameters like protocol, ports, action, and rule number. This is crucial for controlling traffic flow from public subnets to external destinations. ```json [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] ``` -------------------------------- ### Terraform State Remove for Gateway Endpoint Associations Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/docs/UPGRADE-3.0.md Commands to remove old route table association resources for gateway endpoints when upgrading to v3.x. These associations are now managed within the VPC endpoint resource itself. ```terraform terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]' terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]' terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]' ``` -------------------------------- ### Allocate External IPs for NAT Gateways with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This example shows how to allocate Elastic IPs outside the VPC module and then associate them with the NAT gateways created by the module. This is useful for maintaining consistent public IPs across VPC re-creations. It requires setting `reuse_nat_ips` to true and providing the allocated IP IDs. ```hcl resource "aws_eip" "nat" { count = 3 vpc = true } module "vpc" { source = "terraform-aws-modules/vpc/aws" # The rest of arguments are omitted for brevity enable_nat_gateway = true single_nat_gateway = false reuse_nat_ips = true # <= Skip creation of EIPs for the NAT Gateways external_nat_ip_ids = "${aws_eip.nat.*.id}" # <= IPs specified here as input to the module } ``` -------------------------------- ### Configure VPC Block Public Access Options (HCL) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/block-public-access/README.md Terraform HCL code to configure VPC block public access. This example specifically sets the internet gateway block mode to 'block-bidirectional'. Other valid modes include 'block-ingress' and 'off'. ```hcl vpc_block_public_access_options = { internet_gateway_block_mode = "block-bidirectional" } ``` -------------------------------- ### Configure VPC Block Public Access Exclusions (HCL) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/block-public-access/README.md Terraform HCL code to define exclusions for VPC block public access at the VPC level. This example allows bidirectional traffic for the entire VPC. One of 'exclude_vpc' or 'exclude_subnet' must be set to true. ```hcl vpc_block_public_access_exclusions = { exclude_vpc = { exclude_vpc = true internet_gateway_exclusion_mode = "allow-bidirectional" } } ``` -------------------------------- ### Configure Subnet-Level VPC Block Public Access Exclusions (HCL) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/block-public-access/README.md Terraform HCL code to define exclusions for VPC block public access at the subnet level. This example allows egress traffic for private subnets at specific indices. The 'subnet_type' can be 'public', 'private', 'database', 'redshift', 'elasticache', 'intra', or 'custom'. ```hcl vpc_block_public_access_exclusions = { exclude_subnet_private1 = { exclude_subnet = true subnet_type = "private" subnet_index = 1 internet_gateway_exclusion_mode = "allow-egress" } exclude_subnet_private2 = { exclude_subnet = true subnet_type = "private" subnet_index = 2 internet_gateway_exclusion_mode = "allow-egress" } } ``` -------------------------------- ### Terraform VPC with IPAM Pool - Initialization and Application Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/ipam/README.md This snippet shows the Terraform commands required to initialize, plan, and apply a VPC configuration that utilizes an IPAM pool for CIDR allocation. It emphasizes the need for the IPAM pool to exist before applying VPC resources that depend on it. ```bash terraform init terraform plan terraform apply -target=aws_vpc_ipam_preview_next_cidr.this # CIDR pool must exist before assigning CIDR from pool terraform apply ``` -------------------------------- ### Enable Resource Name DNS A Record on Launch for Elasticache Subnets in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Indicates whether to respond to DNS queries for instance hostnames with DNS A records. This is typically used for IPv4 address resolution. Defaults to false. ```terraform elasticache_subnet_enable_resource_name_dns_a_record_on_launch = false ``` -------------------------------- ### Terraform: NAT Gateway and Outpost Subnet Configuration Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures the deployment of NAT gateways, specifically the option to have one NAT gateway per availability zone, which requires `var.azs` to be set. It also defines settings for Outpost subnets, including ARN, AZ, and whether to use dedicated network ACLs. ```terraform variable "one_nat_gateway_per_az" { description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`" type = bool default = false } variable "outpost_acl_tags" { description = "Additional tags for the outpost subnets network ACL" type = map(string) default = {} } variable "outpost_arn" { description = "ARN of Outpost you want to create a subnet in" type = string default = null } variable "outpost_az" { description = "AZ where Outpost is anchored" type = string default = null } variable "outpost_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for outpost subnets" type = bool default = false } ``` -------------------------------- ### Enable Resource Name DNS AAAA Record on Launch for Elasticache Subnets in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. This is typically used for IPv6 address resolution. Defaults to true. ```terraform elasticache_subnet_enable_resource_name_dns_aaaa_record_on_launch = true ``` -------------------------------- ### Terraform VPC with IPAM Pool - Destruction Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/ipam/README.md This snippet outlines the Terraform commands for destroying resources created by the VPC with IPAM pool configuration. It highlights the importance of destroying the VPC first before destroying the IPAM pool-related resources. ```bash terraform destroy -target=module.vpc # destroy VPC that uses the IPAM pool CIDR first terraform destroy ``` -------------------------------- ### Terraform: Configure IP address mapping on launch Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines whether instances launched into a subnet should be assigned a public IP address or a customer-owned IP address. When using customer-owned IPs, specific ARN and pool arguments must also be provided. ```terraform variable "map_customer_owned_ip_on_launch" { description = "Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The `customer_owned_ipv4_pool` and `outpost_arn` arguments must be specified when set to `true`. Default is `false`" type = bool default = false } variable "map_public_ip_on_launch" { description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`" type = bool default = false } ``` -------------------------------- ### Calculate Subnet CIDRs with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This snippet demonstrates how to calculate subnet CIDRs using Terraform's built-in functions, specifically `cidrsubnets`. It takes a previewed IPAM CIDR and partitions it into private and public subnets, also formatting availability zones. Dependencies include `data.aws_vpc_ipam_preview_next_cidr` and `data.aws_region.current`. ```Terraform locals { partition = cidrsubnets(data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr, 2, 2) private_subnets = cidrsubnets(local.partition[0], 2, 2) public_subnets = cidrsubnets(local.partition[1], 2, 2) azs = formatlist("${data.aws_region.current.name}%s", ["a", "b"]) } module "vpc_cidr_from_ipam" { source = "terraform-aws-modules/vpc/aws" name = "vpc-cidr-from-ipam" ipv4_ipam_pool_id = data.aws_vpc_ipam_pool.ipv4_example.id azs = local.azs cidr = data.aws_vpc_ipam_preview_next_cidr.previewed_cidr.cidr private_subnets = local.private_subnets public_subnets = local.public_subnets } ``` -------------------------------- ### Enable DNS Support in Default VPC via Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Determines if DNS resolution is supported within the default VPC. Enabling this (`true`) ensures that instances can resolve public DNS records, facilitating internet access and communication. ```terraform default_vpc_enable_dns_support = true ``` -------------------------------- ### Redshift Subnet Naming and Tagging (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the naming convention and additional tags for Redshift subnets and their associated route tables and subnet groups. Allows for custom names via a suffix and explicit name tags. ```Terraform redshift_subnet_names = [] redshift_subnet_suffix = "redshift" redshift_subnet_tags = {} redshift_subnet_group_tags = {} redshift_route_table_tags = {} ``` -------------------------------- ### Redshift Subnet DNS Configuration (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Controls DNS hostname types for instances launched within Redshift subnets. This includes enabling resource name DNS A and AAAA records on launch and specifying the private DNS hostname type. ```Terraform redshift_subnet_enable_resource_name_dns_a_record_on_launch = false redshift_subnet_enable_resource_name_dns_aaaa_record_on_launch = true redshift_subnet_private_dns_hostname_type_on_launch = null ``` -------------------------------- ### Enable Public Access to RDS Instances Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This configuration allows public access to RDS instances, which is generally not recommended for production environments. It involves enabling the creation of a database subnet group, route table, and an internet gateway route, along with enabling DNS hostnames and support. ```hcl create_database_subnet_group = true create_database_subnet_route_table = true create_database_internet_gateway_route = true enable_dns_hostnames = true enable_dns_support = true ``` -------------------------------- ### Describe VPC Block Public Access Options (AWS CLI) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/block-public-access/README.md AWS CLI command to retrieve the current configuration of VPC block public access options for a specified region. This is useful for verifying deployment after applying Terraform changes. ```bash aws ec2 --region eu-west-1 describe-vpc-block-public-access-options ``` -------------------------------- ### Configure VPC Instance Tenancy Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies the tenancy option for instances launched within the VPC. Options include 'default' for shared hardware or 'dedicated' for hardware dedicated to a single AWS account. ```hcl instance_tenancy = "dedicated" ``` -------------------------------- ### Enable DNS64 for Elasticache Subnets in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Determines whether DNS queries to the Amazon-provided DNS Resolver in the Elasticache subnet should return synthetic IPv6 addresses for IPv4-only destinations. Defaults to true. ```terraform elasticache_subnet_enable_dns64 = true ``` -------------------------------- ### Redshift Subnet IPv6 Configuration (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures IPv6 settings for Redshift subnets, including enabling IPv6 address assignment on creation, DNS64 support, and specifying IPv6 prefixes. These settings are crucial for IPv6-enabled VPCs. ```Terraform redshift_subnet_assign_ipv6_address_on_creation = false redshift_subnet_enable_dns64 = true redshift_subnet_ipv6_native = false redshift_subnet_ipv6_prefixes = [] ``` -------------------------------- ### Configure VPC Flow Log Format and Traffic Type Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the fields to include in the VPC flow log records and the type of network traffic to capture (ACCEPT, REJECT, or ALL). This allows customization of the log data for analysis. ```hcl flow_log_log_format = "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action}" flow_log_traffic_type = "ACCEPT" ``` -------------------------------- ### Configure DHCP Options Domain Name Servers in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies a list of DNS server addresses for DHCP options. Defaults to AWS provided DNS. This requires the `enable_dhcp_options` to be set to true. ```terraform dhcp_options_domain_name_servers = [ "AmazonProvidedDNS" ] ``` -------------------------------- ### Redshift Network ACL Rules Configuration (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the inbound and outbound network access control list rules for Redshift subnets within the VPC. These rules specify which traffic is allowed or denied based on CIDR blocks, ports, and protocols. ```Terraform redshift_inbound_acl_rules = [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] redshift_outbound_acl_rules = [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] ``` -------------------------------- ### Conditionally Create VPC Module (Terraform Pre-0.13) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This snippet demonstrates how to conditionally create the VPC module's resources in Terraform versions prior to 0.13 using the `create_vpc` argument. Setting `create_vpc` to `false` prevents the module's resources from being provisioned. ```hcl module "vpc" { source = "terraform-aws-modules/vpc/aws" create_vpc = false # ... omitted } ``` -------------------------------- ### Terraform: Boolean Input for Dedicated Network ACL Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Illustrates a boolean input variable to control the use of a dedicated network ACL for Redshift subnets. Setting this to `false` means the default network ACL will be used, while `true` would imply custom rules and a dedicated ACL are applied. ```json { "redshift_dedicated_network_acl": false } ``` -------------------------------- ### Intra Subnet DNS Hostname Configuration Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Controls how DNS hostnames are assigned to instances launched within intra subnets. Options include using IP names or resource names, and enabling AAAA records for IPv6. This impacts how instances are discovered and accessed via DNS. ```terraform intra_subnet_enable_resource_name_dns_a_record_on_launch = false intra_subnet_enable_resource_name_dns_aaaa_record_on_launch = true intra_subnet_private_dns_hostname_type_on_launch = null ``` -------------------------------- ### Enable DNS Hostnames in Default VPC via Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Controls whether DNS hostnames are enabled for instances within the default VPC. Setting this to `true` allows instances to resolve public DNS names, which is often required for various services. ```terraform default_vpc_enable_dns_hostnames = true ``` -------------------------------- ### Terraform: Configure IPv6 CIDR block and IPAM settings Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures IPv6 settings for the VPC, allowing for explicit CIDR block assignment or derivation from an IPAM pool. It also supports specifying the netmask length for IPAM allocations and a network border group for IPv6 CIDR blocks. ```terraform variable "ipv6_cidr" { description = "(Optional) IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using `ipv6_netmask_length`" type = string default = null } variable "ipv6_cidr_block_network_border_group" { description = "By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones" type = string default = null } variable "ipv6_ipam_pool_id" { description = "(Optional) IPAM Pool ID for a IPv6 pool. Conflicts with `assign_generated_ipv6_cidr_block`" type = string default = null } variable "ipv6_netmask_length" { description = "(Optional) Netmask length to request from IPAM Pool. Conflicts with `ipv6_cidr_block`. This can be omitted if IPAM pool as a `allocation_default_netmask_length` set. Valid values: `56`" type = number default = null } ``` -------------------------------- ### Describe VPC Block Public Access Exclusions (AWS CLI) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/block-public-access/README.md AWS CLI command to retrieve specific VPC block public access exclusions using their exclusion IDs. First, obtain the exclusion ID from Terraform output, then use this command for verification. ```bash terraform output vpc_block_public_access_exclusions aws ec2 --region eu-west-1 describe-vpc-block-public-access-exclusions --exclusion-ids exclusion-id ``` -------------------------------- ### Configure Default Network ACL Ingress Rules in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies ingress rules for the default Network ACL, controlling inbound traffic. You can define actions, CIDR blocks (IPv4 and IPv6), protocols, rule numbers, and ports. Essential for securing network entry points. ```terraform default_network_acl_ingress = [ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ] ``` -------------------------------- ### Terraform: Manage default VPC resources Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Controls the management of default VPC resources, including the network ACL, route table, security group, and the default VPC itself. Setting these to true allows the module to adopt and manage these resources. ```terraform variable "manage_default_network_acl" { description = "Should be true to adopt and manage Default Network ACL" type = bool default = true } variable "manage_default_route_table" { description = "Should be true to manage default route table" type = bool default = true } variable "manage_default_security_group" { description = "Should be true to adopt and manage default security group" type = bool default = true } variable "manage_default_vpc" { description = "Should be true to adopt and manage Default VPC" type = bool default = false } ``` -------------------------------- ### Terraform: VPC Naming and NAT Gateway Configuration Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Sets the name for VPC resources and configures NAT gateway behavior. This includes options for custom destination CIDR blocks for NAT gateways and defining additional tags for NAT gateways and their associated Elastic IPs. ```terraform variable "name" { description = "Name to be used on all the resources as identifier" type = string default = "" } variable "nat_eip_tags" { description = "Additional tags for the NAT EIP" type = map(string) default = {} } variable "nat_gateway_destination_cidr_block" { description = "Used to pass a custom destination route for private NAT Gateway. If not specified, the default 0.0.0.0/0 is used as a destination route" type = string default = "0.0.0.0/0" } variable "nat_gateway_tags" { description = "Additional tags for the NAT gateways" type = map(string) default = {} } ``` -------------------------------- ### Configure VPC Flow Log File and Aggregation Settings Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures the file format for VPC flow logs stored in S3 (plain-text or parquet) and the maximum aggregation interval for capturing flow data. It also includes an option to enable Hive-compatible partitioning for S3-stored logs. ```hcl flow_log_file_format = "parquet" flow_log_max_aggregation_interval = 60 flow_log_hive_compatible_partitions = true ``` -------------------------------- ### Configure Default Route Table Routes in Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines custom routes for the default route table. This configuration block allows for specifying destination CIDR blocks and targets, enabling granular control over network traffic flow within the VPC. ```terraform default_route_table_routes = [ # Example route configuration # { # "cidr_block": "10.0.1.0/24", # "gateway_id": "vgw-12345678" # } ] ``` -------------------------------- ### Configure AWS VPC Endpoints with Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/modules/vpc-endpoints/README.md This HCL code snippet demonstrates how to configure AWS VPC endpoints using the terraform-aws-modules/vpc module. It defines various endpoint types (interface and gateway) for services like S3, DynamoDB, SNS, and SQS, including custom configurations for subnets, private DNS, and security groups. ```hcl module "endpoints" { source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" vpc_id = "vpc-12345678" security_group_ids = ["sg-12345678"] endpoints = { s3 = { # interface endpoint service = "s3" tags = { Name = "s3-vpc-endpoint" } }, dynamodb = { # gateway endpoint service = "dynamodb" service_type = "Gateway" route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"] tags = { Name = "dynamodb-vpc-endpoint" } }, sns = { service = "sns" subnet_ids = ["subnet-12345678", "subnet-87654321"] subnet_configurations = [ { ipv4 = "10.8.34.10" subnet_id = "subnet-12345678" }, { ipv4 = "10.8.35.10" subnet_id = "subnet-87654321" } ] tags = { Name = "sns-vpc-endpoint" } }, sqs = { service = "sqs" private_dns_enabled = true security_group_ids = ["sg-987654321"] subnet_ids = ["subnet-12345678", "subnet-87654321"] tags = { Name = "sqs-vpc-endpoint" } }, } tags = { Owner = "user" Environment = "dev" } } ``` -------------------------------- ### Configure VPC Flow Log Destination and Type Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies the destination ARN for VPC flow logs and the destination type. Supported types include 's3', 'kinesis-data-firehose', and 'cloud-watch-logs'. If 'create_flow_log_cloudwatch_log_group' is false, the 'flow_log_destination_arn' must be provided. ```hcl flow_log_destination_arn = "arn:aws:logs:us-east-1:123456789012:log-group:my-vpc-flow-logs" flow_log_destination_type = "cloud-watch-logs" ``` ```hcl flow_log_destination_arn = "arn:aws:s3:::my-vpc-flow-log-bucket/" flow_log_destination_type = "s3" ``` -------------------------------- ### Terraform: Boolean Input for Political Stance Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This snippet represents a boolean input variable with a specific, non-technical purpose related to user agreement on a political statement. It demonstrates how Terraform can be used to capture user opinions or confirmations, though such usage is unconventional for infrastructure code. ```json { "putin_khuylo": true } ``` -------------------------------- ### Configure Outpost Subnet Network ACL Rules (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the outbound network access control list (ACL) rules for Outpost subnets. This configuration allows specifying CIDR blocks, protocols, rule actions, and rule numbers to control network traffic. It is crucial for managing network security in Outpost environments. ```Terraform outpost_outbound_acl_rules = [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] ``` -------------------------------- ### Intra Subnet Naming and Tagging Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Customizes the naming and tagging of intra subnets. You can provide explicit names using `intra_subnet_names` or append a suffix with `intra_subnet_suffix`. Additional tags can be applied using `intra_subnet_tags`. ```terraform intra_subnet_names = [] intra_subnet_suffix = "intra" intra_subnet_tags = {} intra_route_table_tags = {} intra_acl_tags = {} ``` -------------------------------- ### Configure VPC Flow Logs to S3 Bucket using Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/modules/flow-log/README.md This snippet shows how to configure AWS VPC Flow Logs to send log data to an S3 bucket using the Terraform AWS VPC module. It requires specifying the VPC ID, log destination type as 's3', the S3 bucket ARN, and optional tags. ```hcl module "flow_log" { source = "terraform-aws-modules/vpc/aws//modules/flow-log" name = "example" vpc_id = "vpc-12345678" log_destination_type = "s3" log_destination = "arn:aws:s3:::example-20250602150510701600000001" tags = { Owner = "user" Environment = "dev" } } ``` -------------------------------- ### Destroy Terraform-Managed Resources Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/flow-log/README.md Command to remove all AWS resources created by the Terraform configuration. This is important for cost management and cleanup after the resources are no longer needed. ```bash terraform destroy ``` -------------------------------- ### VPC IPv4 IPAM Pool and Netmask Configuration Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures IPv4 address allocation for the VPC using AWS IPAM. The `ipv4_ipam_pool_id` allows you to specify an existing IPAM pool, and `ipv4_netmask_length` defines the desired CIDR block size for the VPC. These are optional parameters for advanced IP management. ```terraform ipv4_ipam_pool_id = null ipv4_netmask_length = null ``` -------------------------------- ### Terraform: Outpost Subnet Inbound Network ACL Rules Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines the inbound network ACL rules for Outpost subnets. By default, it includes a rule to allow all traffic from any source to any destination, with specific port and protocol configurations. ```terraform variable "outpost_inbound_acl_rules" { description = "Outpost subnets inbound network ACLs" type = list(map(string)) default = [ { "cidr_block" = "0.0.0.0/0", "from_port" = 0, "protocol" = "-1", "rule_action" = "allow", "rule_number" = 100, "to_port" = 0 } ] } ``` -------------------------------- ### IAM Role Trust Policy Permissions Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/modules/flow-log/README.md Defines IAM policy statements for custom trust policy permissions for an IAM role. This allows granular control over which entities can assume the role. The structure supports defining security identifiers, actions, resources, principals, and conditions for the policy. ```terraform input_iam_role_trust_policy_permissions = map(object({ sid = optional(string) actions = optional(list(string)) not_actions = optional(list(string)) effect = optional(string, "Allow") resources = optional(list(string)) not_resources = optional(list(string)) principals = optional(list(object({ type = string identifiers = list(string) }))) not_principals = optional(list(object({ type = string identifiers = list(string) }))) condition = optional(list(object({ test = string variable = string values = list(string) }))) })) ``` -------------------------------- ### Configure VPC Flow Logs to CloudWatch Logs using Terraform Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/modules/flow-log/README.md This snippet demonstrates how to configure AWS VPC Flow Logs to send log data to CloudWatch Logs using the Terraform AWS VPC module. It requires specifying the VPC ID and other optional tags. ```hcl module "flow_log" { source = "terraform-aws-modules/vpc/aws//modules/flow-log" name = "example" vpc_id = "vpc-12345678" tags = { Owner = "user" Environment = "dev" } } ``` -------------------------------- ### Configure Private Subnet Network ACL Rules (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies the inbound and outbound network access control list (ACL) rules for private subnets. This allows fine-grained control over network traffic entering and leaving private subnets, ensuring enhanced security. The configuration includes details like CIDR blocks, ports, protocols, and rule actions. ```Terraform private_inbound_acl_rules = [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] private_outbound_acl_rules = [ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ] ``` -------------------------------- ### Intra Subnet IPv6 Configuration Options Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Configures IPv6 settings for intra subnets. This includes options to assign IPv6 addresses on creation, enable DNS64 for IPv6-only destinations, and specify the native IPv6 subnet mode. ```terraform intra_subnet_assign_ipv6_address_on_creation = false intra_subnet_enable_dns64 = true intra_subnet_ipv6_native = false ``` -------------------------------- ### AWS Region Configuration (Terraform) Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Specifies the AWS region where the VPC resources will be deployed. If not explicitly set, it defaults to the region configured in the AWS provider. ```Terraform region = null ``` -------------------------------- ### Configure Public Network ACL Rules for Subnets Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md This configuration shows how to manage network ACLs for subnets. It includes options to manage the default network ACL, create dedicated network ACLs for public subnets, and define custom inbound and outbound NACL rules using `public_inbound_acl_rules` and `public_outbound_acl_rules`. ```hcl manage_default_network_acl = true public_dedicated_network_acl = true public_inbound_acl_rules = [ # Example rule: Allow all traffic from public subnet to port 22 on anywhere { rule_number = 100 protocol = "tcp" from_port = 22 to_port = 22 action = "allow" cidr_block = "0.0.0.0/0" } ] public_outbound_acl_rules = [ # Example rule: Allow all outbound traffic to anywhere { rule_number = 100 protocol = "-1" from_port = 0 to_port = 0 action = "allow" cidr_block = "0.0.0.0/0" } ] ``` -------------------------------- ### Configure VPC Flow Log CloudWatch IAM Role Conditions Source: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/README.md Defines additional conditions for the IAM role assumption policy when publishing VPC flow logs to CloudWatch. This allows for fine-grained access control based on specific IAM role attributes. The input expects a list of objects, each specifying a test, a variable to evaluate, and a list of values to match. ```hcl flow_log_cloudwatch_iam_role_conditions = [ { test = "StringEquals" variable = "iam:PassedToService" values = ["ec2.amazonaws.com"] }, { test = "StringLike" variable = "iam:RequestTag/Project" values = ["example-project-*"] } ] ```