From 1e36f9f8a01eb26be83d8e1ce2227a6890390b0e Mon Sep 17 00:00:00 2001 From: samul69 <81085359+samul69@users.noreply.github.com> Date: Thu, 7 Sep 2023 22:03:22 +0200 Subject: [PATCH 01/41] fix: The number of intra subnets should not influence the number of NAT gateways provisioned (#968) intra subnets shouldn't determine number of nat gateways "The module does not take into account the number of intra_subnets, since the latter are designed to have no Internet access via NAT Gateway." --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index 25fb194e4..9d19218f1 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,6 @@ locals { max_subnet_length = max( local.len_private_subnets, local.len_public_subnets, - local.len_intra_subnets, local.len_elasticache_subnets, local.len_database_subnets, local.len_redshift_subnets, From bf9a89bf447a9c866dc0d30486aec5a24dbe2631 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 7 Sep 2023 20:03:58 +0000 Subject: [PATCH 02/41] chore(release): version 5.1.2 [skip ci] ### [5.1.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.1...v5.1.2) (2023-09-07) ### Bug Fixes * The number of intra subnets should not influence the number of NAT gateways provisioned ([#968](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/968)) ([1e36f9f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/1e36f9f8a01eb26be83d8e1ce2227a6890390b0e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76a37073a..1792b27bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [5.1.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.1...v5.1.2) (2023-09-07) + + +### Bug Fixes + +* The number of intra subnets should not influence the number of NAT gateways provisioned ([#968](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/968)) ([1e36f9f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/1e36f9f8a01eb26be83d8e1ce2227a6890390b0e)) + ### [5.1.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.0...v5.1.1) (2023-07-25) From abe2c0fcd23f1adfcb6e3a7739811e2482e2d197 Mon Sep 17 00:00:00 2001 From: Melissa Greenbaum <69476188+magreenbaum@users.noreply.github.com> Date: Sat, 18 Nov 2023 11:12:18 -0500 Subject: [PATCH 03/41] feat: Add `skip_destroy` to vpc flow log cloudwatch log group (#1009) add skip_destroy to vpc flow log cloudwatch log group Co-authored-by: magreenbaum --- README.md | 1 + variables.tf | 6 ++++++ vpc-flow-logs.tf | 1 + 3 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 73c591304..caf1610f4 100644 --- a/README.md +++ b/README.md @@ -449,6 +449,7 @@ No modules. | [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no | | [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no | | [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no | +| [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no | | [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no | | [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | | [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no | diff --git a/variables.tf b/variables.tf index 148ce3f19..8a20ba93e 100644 --- a/variables.tf +++ b/variables.tf @@ -1572,6 +1572,12 @@ variable "flow_log_cloudwatch_log_group_kms_key_id" { default = null } +variable "flow_log_cloudwatch_log_group_skip_destroy" { + description = " Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state" + type = bool + default = false +} + variable "putin_khuylo" { description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" type = bool diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index ac9f25758..127d7e016 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -48,6 +48,7 @@ resource "aws_cloudwatch_log_group" "flow_log" { name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}" retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id + skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy tags = merge(var.tags, var.vpc_flow_log_tags) } From c467edb180c38f493b0e9c6fdc22998a97dfde89 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 18 Nov 2023 16:12:43 +0000 Subject: [PATCH 04/41] chore(release): version 5.2.0 [skip ci] ## [5.2.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.2...v5.2.0) (2023-11-18) ### Features * Add `skip_destroy` to vpc flow log cloudwatch log group ([#1009](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1009)) ([abe2c0f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/abe2c0fcd23f1adfcb6e3a7739811e2482e2d197)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1792b27bb..40ef2b9fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.2.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.2...v5.2.0) (2023-11-18) + + +### Features + +* Add `skip_destroy` to vpc flow log cloudwatch log group ([#1009](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1009)) ([abe2c0f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/abe2c0fcd23f1adfcb6e3a7739811e2482e2d197)) + ### [5.1.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.1...v5.1.2) (2023-09-07) From 898bbaf46ba8ebad54983d63fa9e8eac6456903b Mon Sep 17 00:00:00 2001 From: Tormod Macleod <38500472+tormodmacleod@users.noreply.github.com> Date: Mon, 11 Dec 2023 15:14:50 +0000 Subject: [PATCH 05/41] feat: Add NAT gateway interface ids output (#1006) * feat: Output network interface IDs of NAT gateways * docs: updated README --------- Co-authored-by: Bryant Biggs --- README.md | 1 + outputs.tf | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/README.md b/README.md index caf1610f4..78a2e5e18 100644 --- a/README.md +++ b/README.md @@ -637,6 +637,7 @@ No modules. | [nat\_ids](#output\_nat\_ids) | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | | [natgw\_ids](#output\_natgw\_ids) | List of NAT Gateway IDs | +| [natgw\_interface\_ids](#output\_natgw\_interface\_ids) | List of Network Interface IDs assigned to NAT Gateways | | [outpost\_network\_acl\_arn](#output\_outpost\_network\_acl\_arn) | ARN of the outpost network ACL | | [outpost\_network\_acl\_id](#output\_outpost\_network\_acl\_id) | ID of the outpost network ACL | | [outpost\_subnet\_arns](#output\_outpost\_subnet\_arns) | List of ARNs of outpost subnets | diff --git a/outputs.tf b/outputs.tf index d4e3e4079..a542e75a6 100644 --- a/outputs.tf +++ b/outputs.tf @@ -484,6 +484,11 @@ output "natgw_ids" { value = aws_nat_gateway.this[*].id } +output "natgw_interface_ids" { + description = "List of Network Interface IDs assigned to NAT Gateways" + value = aws_nat_gateway.this[*].network_interface_id +} + ################################################################################ # Egress Only Gateway ################################################################################ From 68105dc05c9ca7c67d66adba21ca567af6d6e706 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 11 Dec 2023 15:15:21 +0000 Subject: [PATCH 06/41] chore(release): version 5.3.0 [skip ci] ## [5.3.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.2.0...v5.3.0) (2023-12-11) ### Features * Add NAT gateway interface ids output ([#1006](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1006)) ([898bbaf](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/898bbaf46ba8ebad54983d63fa9e8eac6456903b)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ef2b9fb..ccbe828f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.3.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.2.0...v5.3.0) (2023-12-11) + + +### Features + +* Add NAT gateway interface ids output ([#1006](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1006)) ([898bbaf](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/898bbaf46ba8ebad54983d63fa9e8eac6456903b)) + ## [5.2.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.1.2...v5.2.0) (2023-11-18) From 6e25437b16955b9393348d91965ead2f755fb2e0 Mon Sep 17 00:00:00 2001 From: Kasey Linden Date: Mon, 11 Dec 2023 09:34:22 -0600 Subject: [PATCH 07/41] feat: Add Cross Account Flow Support (#1014) * feat: Add Cross Account Flow Support * fix: update flow log naming convention --------- Co-authored-by: Kasey Linden Co-authored-by: Bryant Biggs --- README.md | 4 +++- outputs.tf | 5 +++++ variables.tf | 8 +++++++- vpc-flow-logs.tf | 15 ++++++++------- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 78a2e5e18..f154534c0 100644 --- a/README.md +++ b/README.md @@ -450,8 +450,9 @@ No modules. | [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no | | [flow\_log\_cloudwatch\_log\_group\_retention\_in\_days](#input\_flow\_log\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs | `number` | `null` | no | | [flow\_log\_cloudwatch\_log\_group\_skip\_destroy](#input\_flow\_log\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `false` | no | +| [flow\_log\_deliver\_cross\_account\_role](#input\_flow\_log\_deliver\_cross\_account\_role) | (Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts. | `string` | `null` | no | | [flow\_log\_destination\_arn](#input\_flow\_log\_destination\_arn) | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create\_flow\_log\_cloudwatch\_log\_group is set to false this argument must be provided | `string` | `""` | no | -| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3 or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | +| [flow\_log\_destination\_type](#input\_flow\_log\_destination\_type) | Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs | `string` | `"cloud-watch-logs"` | no | | [flow\_log\_file\_format](#input\_flow\_log\_file\_format) | (Optional) The format for the flow log. Valid values: `plain-text`, `parquet` | `string` | `null` | no | | [flow\_log\_hive\_compatible\_partitions](#input\_flow\_log\_hive\_compatible\_partitions) | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3 | `bool` | `false` | no | | [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear | `string` | `null` | no | @@ -682,6 +683,7 @@ No modules. | [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support | | [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support | | [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group | +| [vpc\_flow\_log\_deliver\_cross\_account\_role](#output\_vpc\_flow\_log\_deliver\_cross\_account\_role) | The ARN of the IAM role used when pushing logs cross account | | [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs | | [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs | | [vpc\_flow\_log\_id](#output\_vpc\_flow\_log\_id) | The ID of the Flow Log resource | diff --git a/outputs.tf b/outputs.tf index a542e75a6..5cf1ffc0c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -609,6 +609,11 @@ output "vpc_flow_log_cloudwatch_iam_role_arn" { value = local.flow_log_iam_role_arn } +output "vpc_flow_log_deliver_cross_account_role" { + description = "The ARN of the IAM role used when pushing logs cross account" + value = try(aws_flow_log.this[0].deliver_cross_account_role, null) +} + ################################################################################ # Static values (arguments) ################################################################################ diff --git a/variables.tf b/variables.tf index 8a20ba93e..c990ecdbd 100644 --- a/variables.tf +++ b/variables.tf @@ -1485,7 +1485,7 @@ variable "flow_log_traffic_type" { } variable "flow_log_destination_type" { - description = "Type of flow log destination. Can be s3 or cloud-watch-logs" + description = "Type of flow log destination. Can be s3, kinesis-data-firehose or cloud-watch-logs" type = string default = "cloud-watch-logs" } @@ -1502,6 +1502,12 @@ variable "flow_log_destination_arn" { default = "" } +variable "flow_log_deliver_cross_account_role" { + description = "(Optional) ARN of the IAM role that allows Amazon EC2 to publish flow logs across accounts." + type = string + default = null +} + variable "flow_log_file_format" { description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" type = string diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index 127d7e016..9e453c819 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -17,13 +17,14 @@ locals { resource "aws_flow_log" "this" { count = local.enable_flow_log ? 1 : 0 - log_destination_type = var.flow_log_destination_type - log_destination = local.flow_log_destination_arn - log_format = var.flow_log_log_format - iam_role_arn = local.flow_log_iam_role_arn - traffic_type = var.flow_log_traffic_type - vpc_id = local.vpc_id - max_aggregation_interval = var.flow_log_max_aggregation_interval + log_destination_type = var.flow_log_destination_type + log_destination = local.flow_log_destination_arn + log_format = var.flow_log_log_format + iam_role_arn = local.flow_log_iam_role_arn + deliver_cross_account_role = var.flow_log_deliver_cross_account_role + traffic_type = var.flow_log_traffic_type + vpc_id = local.vpc_id + max_aggregation_interval = var.flow_log_max_aggregation_interval dynamic "destination_options" { for_each = var.flow_log_destination_type == "s3" ? [true] : [] From acadfc42ba1ec23404eec03b69603a2cc52679b1 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 11 Dec 2023 15:34:52 +0000 Subject: [PATCH 08/41] chore(release): version 5.4.0 [skip ci] ## [5.4.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.3.0...v5.4.0) (2023-12-11) ### Features * Add Cross Account Flow Support ([#1014](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1014)) ([6e25437](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/6e25437b16955b9393348d91965ead2f755fb2e0)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ccbe828f0..53356fefd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.4.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.3.0...v5.4.0) (2023-12-11) + + +### Features + +* Add Cross Account Flow Support ([#1014](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1014)) ([6e25437](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/6e25437b16955b9393348d91965ead2f755fb2e0)) + ## [5.3.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.2.0...v5.3.0) (2023-12-11) From 32f853f4c099ad134d9c739d585c42a7c06a797b Mon Sep 17 00:00:00 2001 From: Erez Tamam Date: Tue, 9 Jan 2024 22:53:24 +0200 Subject: [PATCH 09/41] feat: Add support for `dns_options` on VPC endpoints (#1023) * add dns_options dynamic block * use fmt to format doc * add example for complete * fix condition to a better approach * add interface chek * add empty brackets for default values * fix: Increase provider MSV to support, correct looping logic --------- Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 4 ++-- README.md | 4 ++-- examples/complete/README.md | 4 ++-- examples/complete/main.tf | 8 ++++++-- examples/complete/versions.tf | 2 +- examples/ipam/README.md | 4 ++-- examples/ipam/versions.tf | 2 +- examples/ipv6-dualstack/README.md | 4 ++-- examples/ipv6-dualstack/versions.tf | 2 +- examples/ipv6-only/README.md | 4 ++-- examples/ipv6-only/versions.tf | 2 +- examples/issues/README.md | 4 ++-- examples/issues/versions.tf | 2 +- examples/manage-default-vpc/README.md | 2 +- examples/manage-default-vpc/versions.tf | 2 +- examples/network-acls/README.md | 4 ++-- examples/network-acls/versions.tf | 2 +- examples/outpost/README.md | 4 ++-- examples/outpost/versions.tf | 2 +- examples/secondary-cidr-blocks/README.md | 4 ++-- examples/secondary-cidr-blocks/versions.tf | 2 +- examples/separate-route-tables/README.md | 4 ++-- examples/separate-route-tables/versions.tf | 2 +- examples/simple/README.md | 4 ++-- examples/simple/versions.tf | 2 +- examples/vpc-flow-logs/README.md | 4 ++-- examples/vpc-flow-logs/versions.tf | 2 +- modules/vpc-endpoints/README.md | 4 ++-- modules/vpc-endpoints/main.tf | 9 +++++++++ modules/vpc-endpoints/versions.tf | 2 +- versions.tf | 2 +- 31 files changed, 58 insertions(+), 45 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0f3428382..74b0a6bcd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.81.0 + rev: v1.86.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -23,7 +23,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index f154534c0..371702918 100644 --- a/README.md +++ b/README.md @@ -256,13 +256,13 @@ Full contributing [guidelines are covered here](.github/contributing.md). | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/complete/README.md b/examples/complete/README.md index d6e4eb4a8..4d359dd89 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 514355631..204489880 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -102,8 +102,12 @@ module "vpc_endpoints" { endpoints = { s3 = { - service = "s3" - tags = { Name = "s3-vpc-endpoint" } + service = "s3" + private_dns_enabled = true + dns_options = { + private_dns_only_for_inbound_resolver_endpoint = false + } + tags = { Name = "s3-vpc-endpoint" } }, dynamodb = { service = "dynamodb" diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/ipam/README.md b/examples/ipam/README.md index 07373875a..2aa0998e6 100644 --- a/examples/ipam/README.md +++ b/examples/ipam/README.md @@ -30,13 +30,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/ipam/versions.tf b/examples/ipam/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/ipam/versions.tf +++ b/examples/ipam/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/ipv6-dualstack/README.md b/examples/ipv6-dualstack/README.md index 3318683ec..9b99735f5 100644 --- a/examples/ipv6-dualstack/README.md +++ b/examples/ipv6-dualstack/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/ipv6-dualstack/versions.tf b/examples/ipv6-dualstack/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/ipv6-dualstack/versions.tf +++ b/examples/ipv6-dualstack/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/ipv6-only/README.md b/examples/ipv6-only/README.md index eb8cea2e0..fca0b6799 100644 --- a/examples/ipv6-only/README.md +++ b/examples/ipv6-only/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/ipv6-only/versions.tf b/examples/ipv6-only/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/ipv6-only/versions.tf +++ b/examples/ipv6-only/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/issues/README.md b/examples/issues/README.md index 92cc3a4ca..6ec13c86f 100644 --- a/examples/issues/README.md +++ b/examples/issues/README.md @@ -25,13 +25,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/issues/versions.tf +++ b/examples/issues/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index 0c506f33f..c37171dc9 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/manage-default-vpc/versions.tf +++ b/examples/manage-default-vpc/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index 4e6ca7a0c..f0fa51948 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/network-acls/versions.tf +++ b/examples/network-acls/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/outpost/README.md b/examples/outpost/README.md index 8c7173bb9..6d3ca4d47 100644 --- a/examples/outpost/README.md +++ b/examples/outpost/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/outpost/versions.tf +++ b/examples/outpost/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index 5054d43f9..176b774ce 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/secondary-cidr-blocks/versions.tf +++ b/examples/secondary-cidr-blocks/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/separate-route-tables/README.md b/examples/separate-route-tables/README.md index 57ee751f9..063a51dde 100644 --- a/examples/separate-route-tables/README.md +++ b/examples/separate-route-tables/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/separate-route-tables/versions.tf b/examples/separate-route-tables/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/separate-route-tables/versions.tf +++ b/examples/separate-route-tables/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/simple/README.md b/examples/simple/README.md index 0d5658b4a..9fb29e7f2 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -26,13 +26,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/examples/simple/versions.tf +++ b/examples/simple/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index d0cb120a8..47bc8bc94 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf index 383652286..0ac52370c 100644 --- a/examples/vpc-flow-logs/versions.tf +++ b/examples/vpc-flow-logs/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } random = { diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index a59292ae8..235cef659 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -56,13 +56,13 @@ module "endpoints" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.0 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.0 | +| [aws](#provider\_aws) | >= 5.20 | ## Modules diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf index 8c4b09c38..096f077fc 100644 --- a/modules/vpc-endpoints/main.tf +++ b/modules/vpc-endpoints/main.tf @@ -34,6 +34,15 @@ resource "aws_vpc_endpoint" "this" { policy = try(each.value.policy, null) private_dns_enabled = try(each.value.service_type, "Interface") == "Interface" ? try(each.value.private_dns_enabled, null) : null + dynamic "dns_options" { + for_each = try([each.value.dns_options], []) + + content { + dns_record_ip_type = try(each.value.dns_options.dns_record_ip_type, null) + private_dns_only_for_inbound_resolver_endpoint = try(each.value.private_dns_only_for_inbound_resolver_endpoint, null) + } + } + tags = merge(var.tags, try(each.value.tags, {})) timeouts { diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/modules/vpc-endpoints/versions.tf +++ b/modules/vpc-endpoints/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } diff --git a/versions.tf b/versions.tf index ddfcb0e05..f8fba3dfd 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.0" + version = ">= 5.20" } } } From e4768508a17f79337f9f1e48ebf47ee885b98c1f Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 9 Jan 2024 20:53:49 +0000 Subject: [PATCH 10/41] chore(release): version 5.5.0 [skip ci] ## [5.5.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.4.0...v5.5.0) (2024-01-09) ### Features * Add support for `dns_options` on VPC endpoints ([#1023](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1023)) ([32f853f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/32f853f4c099ad134d9c739d585c42a7c06a797b)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53356fefd..6ce848dc1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.5.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.4.0...v5.5.0) (2024-01-09) + + +### Features + +* Add support for `dns_options` on VPC endpoints ([#1023](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1023)) ([32f853f](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/32f853f4c099ad134d9c739d585c42a7c06a797b)) + ## [5.4.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.3.0...v5.4.0) (2023-12-11) From a837be12882c8f74984620752937b4806da2d6d4 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sat, 13 Jan 2024 16:03:26 -0500 Subject: [PATCH 11/41] fix: Correct VPC endpoint private DNS resolver `for_each` key (#1029) --- modules/vpc-endpoints/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf index 096f077fc..fef2f8c05 100644 --- a/modules/vpc-endpoints/main.tf +++ b/modules/vpc-endpoints/main.tf @@ -38,8 +38,8 @@ resource "aws_vpc_endpoint" "this" { for_each = try([each.value.dns_options], []) content { - dns_record_ip_type = try(each.value.dns_options.dns_record_ip_type, null) - private_dns_only_for_inbound_resolver_endpoint = try(each.value.private_dns_only_for_inbound_resolver_endpoint, null) + dns_record_ip_type = try(dns_options.value.dns_options.dns_record_ip_type, null) + private_dns_only_for_inbound_resolver_endpoint = try(dns_options.value.private_dns_only_for_inbound_resolver_endpoint, null) } } From 7666869d9ca7ff658f5bd10a29dea53bde5dc464 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 13 Jan 2024 21:03:50 +0000 Subject: [PATCH 12/41] chore(release): version 5.5.1 [skip ci] ### [5.5.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.0...v5.5.1) (2024-01-13) ### Bug Fixes * Correct VPC endpoint private DNS resolver `for_each` key ([#1029](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1029)) ([a837be1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/a837be12882c8f74984620752937b4806da2d6d4)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ce848dc1..93ca3ed79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [5.5.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.0...v5.5.1) (2024-01-13) + + +### Bug Fixes + +* Correct VPC endpoint private DNS resolver `for_each` key ([#1029](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1029)) ([a837be1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/a837be12882c8f74984620752937b4806da2d6d4)) + ## [5.5.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.4.0...v5.5.0) (2024-01-09) From 5f5df571925895ad1fdf5a3bd04e539aa13f5a1d Mon Sep 17 00:00:00 2001 From: Vladimir Samoylov <51059484+cageyv@users.noreply.github.com> Date: Fri, 9 Feb 2024 19:10:26 +0700 Subject: [PATCH 13/41] fix: Added create_before_destroy to aws_customer_gateway (#1036) Co-authored-by: Anton Babenko --- main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main.tf b/main.tf index 9d19218f1..ef65f2be7 100644 --- a/main.tf +++ b/main.tf @@ -1123,6 +1123,10 @@ resource "aws_customer_gateway" "this" { var.tags, var.customer_gateway_tags, ) + + lifecycle { + create_before_destroy = true + } } ################################################################################ From f7f84f70ad6db36e4eae0273bf08ed2ffd0a69c4 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 9 Feb 2024 12:10:52 +0000 Subject: [PATCH 14/41] chore(release): version 5.5.2 [skip ci] ### [5.5.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.1...v5.5.2) (2024-02-09) ### Bug Fixes * Added create_before_destroy to aws_customer_gateway ([#1036](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1036)) ([5f5df57](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/5f5df571925895ad1fdf5a3bd04e539aa13f5a1d)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93ca3ed79..97060b8f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [5.5.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.1...v5.5.2) (2024-02-09) + + +### Bug Fixes + +* Added create_before_destroy to aws_customer_gateway ([#1036](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1036)) ([5f5df57](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/5f5df571925895ad1fdf5a3bd04e539aa13f5a1d)) + ### [5.5.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.0...v5.5.1) (2024-01-13) From 3b5b7f1fea768c6c933ea1ce2f8ee11250fa94cb Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 6 Mar 2024 14:12:17 -0500 Subject: [PATCH 15/41] fix: Update CI workflow versions to remove deprecated runtime warnings (#1052) --- .github/workflows/lock.yml | 2 +- .github/workflows/pr-title.yml | 2 +- .github/workflows/pre-commit.yml | 36 +++++++++++++++++------- .github/workflows/release.yml | 12 ++++---- .github/workflows/stale-actions.yaml | 2 +- .pre-commit-config.yaml | 6 ++-- examples/separate-route-tables/README.md | 2 +- 7 files changed, 40 insertions(+), 22 deletions(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 6b6c9cec0..bd5f2df7c 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -8,7 +8,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v4 + - uses: dessant/lock-threads@v5 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-comment: > diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index cb32a0f81..3973df443 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: steps: # Please look up the latest version from # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v5.0.2 + - uses: amannn/action-semantic-pull-request@v5.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index cb8267134..c2632d1a4 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -8,7 +8,7 @@ on: env: TERRAFORM_DOCS_VERSION: v0.16.0 - TFLINT_VERSION: v0.44.1 + TFLINT_VERSION: v0.50.3 jobs: collectInputs: @@ -18,11 +18,11 @@ jobs: directories: ${{ steps.dirs.outputs.directories }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get root directories id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 + uses: clowdhaus/terraform-composite-actions/directories@v1.9.0 preCommitMinVersions: name: Min TF pre-commit @@ -32,19 +32,27 @@ jobs: matrix: directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} steps: + # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 + - name: Delete huge unnecessary tools folder + run: | + rm -rf /opt/hostedtoolcache/CodeQL + rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk + rm -rf /opt/hostedtoolcache/Ruby + rm -rf /opt/hostedtoolcache/go + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.2.4 + uses: clowdhaus/terraform-min-max@v1.3.0 with: directory: ${{ matrix.directory }} - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} tflint-version: ${{ env.TFLINT_VERSION }} @@ -53,7 +61,7 @@ jobs: - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} tflint-version: ${{ env.TFLINT_VERSION }} @@ -64,18 +72,26 @@ jobs: runs-on: ubuntu-latest needs: collectInputs steps: + # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 + - name: Delete huge unnecessary tools folder + run: | + rm -rf /opt/hostedtoolcache/CodeQL + rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk + rm -rf /opt/hostedtoolcache/Ruby + rm -rf /opt/hostedtoolcache/go + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{github.event.pull_request.head.repo.full_name}} - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.2.4 + uses: clowdhaus/terraform-min-max@v1.3.0 - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0 with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} tflint-version: ${{ env.TFLINT_VERSION }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 81f674740..4a9422614 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,18 +20,18 @@ jobs: if: github.repository_owner == 'terraform-aws-modules' steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: persist-credentials: false fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@v3 + uses: cycjimmy/semantic-release-action@v4 with: - semantic_version: 18.0.0 + semantic_version: 23.0.2 extra_plugins: | - @semantic-release/changelog@6.0.0 - @semantic-release/git@10.0.0 - conventional-changelog-conventionalcommits@4.6.3 + @semantic-release/changelog@6.0.3 + @semantic-release/git@10.0.1 + conventional-changelog-conventionalcommits@7.0.2 env: GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index 50379957f..6ccd0ed85 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v6 + - uses: actions/stale@v9 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 74b0a6bcd..395404e80 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,8 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.86.0 + rev: v1.88.0 hooks: - id: terraform_fmt - - id: terraform_validate - id: terraform_docs args: - '--args=--lockfile=false' @@ -22,8 +21,11 @@ repos: - '--args=--only=terraform_required_providers' - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' + - '--args=--only=terraform_unused_required_providers' + - id: terraform_validate - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/examples/separate-route-tables/README.md b/examples/separate-route-tables/README.md index 063a51dde..5f45a5276 100644 --- a/examples/separate-route-tables/README.md +++ b/examples/separate-route-tables/README.md @@ -1,6 +1,6 @@ # VPC with separate private route tables -Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup). +Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup). There are public, private, database, ElastiCache, Redshift subnets, NAT Gateways created in each availability zone. **This example sets up separate private route for database, elasticache and redshift subnets.**. From 3e793b424af55cca62b1158eb02fd662cc7e4ca1 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 6 Mar 2024 19:12:48 +0000 Subject: [PATCH 16/41] chore(release): version 5.5.3 [skip ci] ## [5.5.3](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.2...v5.5.3) (2024-03-06) ### Bug Fixes * Update CI workflow versions to remove deprecated runtime warnings ([#1052](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1052)) ([3b5b7f1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/3b5b7f1fea768c6c933ea1ce2f8ee11250fa94cb)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97060b8f6..96017b202 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.5.3](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.2...v5.5.3) (2024-03-06) + + +### Bug Fixes + +* Update CI workflow versions to remove deprecated runtime warnings ([#1052](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1052)) ([3b5b7f1](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/3b5b7f1fea768c6c933ea1ce2f8ee11250fa94cb)) + ### [5.5.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.1...v5.5.2) (2024-02-09) From e2970fd747bbf5d0b1539f7bbbdced56977a1bdf Mon Sep 17 00:00:00 2001 From: Melissa Greenbaum <69476188+magreenbaum@users.noreply.github.com> Date: Thu, 14 Mar 2024 09:13:56 -0400 Subject: [PATCH 17/41] feat: Support VPC flow log cloudwatch log group class (#1053) support log group class --- README.md | 5 +++-- examples/complete/README.md | 4 ++-- examples/complete/versions.tf | 2 +- examples/ipam/README.md | 4 ++-- examples/ipam/versions.tf | 2 +- examples/ipv6-dualstack/README.md | 4 ++-- examples/ipv6-dualstack/versions.tf | 2 +- examples/ipv6-only/README.md | 4 ++-- examples/ipv6-only/versions.tf | 2 +- examples/issues/README.md | 4 ++-- examples/issues/versions.tf | 2 +- examples/manage-default-vpc/README.md | 2 +- examples/manage-default-vpc/versions.tf | 2 +- examples/network-acls/README.md | 4 ++-- examples/network-acls/versions.tf | 2 +- examples/outpost/README.md | 4 ++-- examples/outpost/versions.tf | 2 +- examples/secondary-cidr-blocks/README.md | 4 ++-- examples/secondary-cidr-blocks/versions.tf | 2 +- examples/separate-route-tables/README.md | 4 ++-- examples/separate-route-tables/versions.tf | 2 +- examples/simple/README.md | 4 ++-- examples/simple/versions.tf | 2 +- examples/vpc-flow-logs/README.md | 4 ++-- examples/vpc-flow-logs/main.tf | 1 + examples/vpc-flow-logs/versions.tf | 2 +- modules/vpc-endpoints/README.md | 4 ++-- modules/vpc-endpoints/versions.tf | 2 +- variables.tf | 6 ++++++ versions.tf | 2 +- vpc-flow-logs.tf | 1 + 31 files changed, 50 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 371702918..127493807 100644 --- a/README.md +++ b/README.md @@ -256,13 +256,13 @@ Full contributing [guidelines are covered here](.github/contributing.md). | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules @@ -445,6 +445,7 @@ No modules. | [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no | | [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no | | [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided | `string` | `""` | no | +| [flow\_log\_cloudwatch\_log\_group\_class](#input\_flow\_log\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no | | [flow\_log\_cloudwatch\_log\_group\_kms\_key\_id](#input\_flow\_log\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for VPC flow logs | `string` | `null` | no | | [flow\_log\_cloudwatch\_log\_group\_name\_prefix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_prefix) | Specifies the name prefix of CloudWatch Log Group for VPC flow logs | `string` | `"/aws/vpc-flow-log/"` | no | | [flow\_log\_cloudwatch\_log\_group\_name\_suffix](#input\_flow\_log\_cloudwatch\_log\_group\_name\_suffix) | Specifies the name suffix of CloudWatch Log Group for VPC flow logs | `string` | `""` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index 4d359dd89..fbe618488 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/ipam/README.md b/examples/ipam/README.md index 2aa0998e6..ce1070c5a 100644 --- a/examples/ipam/README.md +++ b/examples/ipam/README.md @@ -30,13 +30,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/ipam/versions.tf b/examples/ipam/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/ipam/versions.tf +++ b/examples/ipam/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/ipv6-dualstack/README.md b/examples/ipv6-dualstack/README.md index 9b99735f5..5b5c17c09 100644 --- a/examples/ipv6-dualstack/README.md +++ b/examples/ipv6-dualstack/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/ipv6-dualstack/versions.tf b/examples/ipv6-dualstack/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/ipv6-dualstack/versions.tf +++ b/examples/ipv6-dualstack/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/ipv6-only/README.md b/examples/ipv6-only/README.md index fca0b6799..e4fea6c43 100644 --- a/examples/ipv6-only/README.md +++ b/examples/ipv6-only/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/ipv6-only/versions.tf b/examples/ipv6-only/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/ipv6-only/versions.tf +++ b/examples/ipv6-only/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/issues/README.md b/examples/issues/README.md index 6ec13c86f..a312e67a7 100644 --- a/examples/issues/README.md +++ b/examples/issues/README.md @@ -25,13 +25,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/issues/versions.tf +++ b/examples/issues/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index c37171dc9..d1e70e542 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/manage-default-vpc/versions.tf +++ b/examples/manage-default-vpc/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index f0fa51948..477a903d2 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/network-acls/versions.tf +++ b/examples/network-acls/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/outpost/README.md b/examples/outpost/README.md index 6d3ca4d47..8105dff04 100644 --- a/examples/outpost/README.md +++ b/examples/outpost/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/outpost/versions.tf +++ b/examples/outpost/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index 176b774ce..be90f2670 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/secondary-cidr-blocks/versions.tf +++ b/examples/secondary-cidr-blocks/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/separate-route-tables/README.md b/examples/separate-route-tables/README.md index 5f45a5276..cd7be22ed 100644 --- a/examples/separate-route-tables/README.md +++ b/examples/separate-route-tables/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/separate-route-tables/versions.tf b/examples/separate-route-tables/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/separate-route-tables/versions.tf +++ b/examples/separate-route-tables/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/simple/README.md b/examples/simple/README.md index 9fb29e7f2..fb62fba7c 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -26,13 +26,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf index f8fba3dfd..22111ba53 100644 --- a/examples/simple/versions.tf +++ b/examples/simple/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index 47bc8bc94..e8b6f0d3b 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 140aa0cd6..9fee41bdf 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -78,6 +78,7 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" { flow_log_max_aggregation_interval = 60 flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/" flow_log_cloudwatch_log_group_name_suffix = "my-test" + flow_log_cloudwatch_log_group_class = "INFREQUENT_ACCESS" vpc_flow_log_tags = local.tags } diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf index 0ac52370c..6af908428 100644 --- a/examples/vpc-flow-logs/versions.tf +++ b/examples/vpc-flow-logs/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } random = { diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index 235cef659..6c0de6a46 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -56,13 +56,13 @@ module "endpoints" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.20 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.20 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf index f8fba3dfd..22111ba53 100644 --- a/modules/vpc-endpoints/versions.tf +++ b/modules/vpc-endpoints/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/variables.tf b/variables.tf index c990ecdbd..ce81d687a 100644 --- a/variables.tf +++ b/variables.tf @@ -1584,6 +1584,12 @@ variable "flow_log_cloudwatch_log_group_skip_destroy" { default = false } +variable "flow_log_cloudwatch_log_group_class" { + description = "Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS" + type = string + default = null +} + variable "putin_khuylo" { description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" type = bool diff --git a/versions.tf b/versions.tf index f8fba3dfd..22111ba53 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.20" + version = ">= 5.30" } } } diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index 9e453c819..e21cd11e6 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -50,6 +50,7 @@ resource "aws_cloudwatch_log_group" "flow_log" { retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id skip_destroy = var.flow_log_cloudwatch_log_group_skip_destroy + log_group_class = var.flow_log_cloudwatch_log_group_class tags = merge(var.tags, var.vpc_flow_log_tags) } From 878b5d2e5a94f94819dcf93424c0d3c026144de8 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 14 Mar 2024 13:14:25 +0000 Subject: [PATCH 18/41] chore(release): version 5.6.0 [skip ci] ## [5.6.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.3...v5.6.0) (2024-03-14) ### Features * Support VPC flow log cloudwatch log group class ([#1053](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1053)) ([e2970fd](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/e2970fd747bbf5d0b1539f7bbbdced56977a1bdf)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 96017b202..ea27525ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.6.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.3...v5.6.0) (2024-03-14) + + +### Features + +* Support VPC flow log cloudwatch log group class ([#1053](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1053)) ([e2970fd](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/e2970fd747bbf5d0b1539f7bbbdced56977a1bdf)) + ## [5.5.3](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.2...v5.5.3) (2024-03-06) From 9163310db647ed98094319980bd8eef72bee492b Mon Sep 17 00:00:00 2001 From: Zack A <24322023+zack-is-cool@users.noreply.github.com> Date: Fri, 22 Mar 2024 11:40:04 -0700 Subject: [PATCH 19/41] feat: Allow setting vpc endpoints as an input for each endpoint (#1056) --- modules/vpc-endpoints/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf index fef2f8c05..5526c3344 100644 --- a/modules/vpc-endpoints/main.tf +++ b/modules/vpc-endpoints/main.tf @@ -24,7 +24,7 @@ resource "aws_vpc_endpoint" "this" { for_each = local.endpoints vpc_id = var.vpc_id - service_name = data.aws_vpc_endpoint_service.this[each.key].service_name + service_name = try(each.value.service_endpoint, data.aws_vpc_endpoint_service.this[each.key].service_name) vpc_endpoint_type = try(each.value.service_type, "Interface") auto_accept = try(each.value.auto_accept, null) From 47e101dc71818902de9bf8967c22fdbb42cd540d Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 22 Mar 2024 18:40:35 +0000 Subject: [PATCH 20/41] chore(release): version 5.7.0 [skip ci] ## [5.7.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.6.0...v5.7.0) (2024-03-22) ### Features * Allow setting vpc endpoints as an input for each endpoint ([#1056](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1056)) ([9163310](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/9163310db647ed98094319980bd8eef72bee492b)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea27525ba..b91031574 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.7.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.6.0...v5.7.0) (2024-03-22) + + +### Features + +* Allow setting vpc endpoints as an input for each endpoint ([#1056](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1056)) ([9163310](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/9163310db647ed98094319980bd8eef72bee492b)) + ## [5.6.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.5.3...v5.6.0) (2024-03-14) From 77df552a8aa43bb3711243a3a5ef3e29f70a4068 Mon Sep 17 00:00:00 2001 From: wiseelf <30684491+wiseelf@users.noreply.github.com> Date: Sat, 6 Apr 2024 02:27:00 +0200 Subject: [PATCH 21/41] fix: Create the same number of IPv6 egress only gateway routes as the number of NAT gateways that are enabled/created (#1059) --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index ef65f2be7..d7429e59f 100644 --- a/main.tf +++ b/main.tf @@ -1021,7 +1021,7 @@ resource "aws_egress_only_internet_gateway" "this" { } resource "aws_route" "private_ipv6_egress" { - count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.len_private_subnets : 0 + count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.nat_gateway_count : 0 route_table_id = element(aws_route_table.private[*].id, count.index) destination_ipv6_cidr_block = "::/0" From c182453f881ae77afd14c826dc8e23498b957907 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 6 Apr 2024 00:27:27 +0000 Subject: [PATCH 22/41] chore(release): version 5.7.1 [skip ci] ## [5.7.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.0...v5.7.1) (2024-04-06) ### Bug Fixes * Create the same number of IPv6 egress only gateway routes as the number of NAT gateways that are enabled/created ([#1059](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1059)) ([77df552](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/77df552a8aa43bb3711243a3a5ef3e29f70a4068)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b91031574..f2c9ad330 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.7.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.0...v5.7.1) (2024-04-06) + + +### Bug Fixes + +* Create the same number of IPv6 egress only gateway routes as the number of NAT gateways that are enabled/created ([#1059](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1059)) ([77df552](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/77df552a8aa43bb3711243a3a5ef3e29f70a4068)) + ## [5.7.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.6.0...v5.7.0) (2024-03-22) From 8701204c28a0ff984c5ade71400c6208c6953bfc Mon Sep 17 00:00:00 2001 From: Manuel Enrique Colotti Date: Thu, 25 Apr 2024 01:56:50 +0200 Subject: [PATCH 23/41] fix: Create private_ipv6_egress routes only when having at least one private subnet (#1062) Co-authored-by: Manuel Enrique Colotti --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d7429e59f..fa144b221 100644 --- a/main.tf +++ b/main.tf @@ -1021,7 +1021,7 @@ resource "aws_egress_only_internet_gateway" "this" { } resource "aws_route" "private_ipv6_egress" { - count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? local.nat_gateway_count : 0 + count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.len_private_subnets > 0 ? local.nat_gateway_count : 0 route_table_id = element(aws_route_table.private[*].id, count.index) destination_ipv6_cidr_block = "::/0" From 15423e76e242bb75463db8d44febb4252a1abb1c Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 24 Apr 2024 23:57:18 +0000 Subject: [PATCH 24/41] chore(release): version 5.7.2 [skip ci] ## [5.7.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.1...v5.7.2) (2024-04-24) ### Bug Fixes * Create private_ipv6_egress routes only when having at least one private subnet ([#1062](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1062)) ([8701204](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/8701204c28a0ff984c5ade71400c6208c6953bfc)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2c9ad330..5c757b6b0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.7.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.1...v5.7.2) (2024-04-24) + + +### Bug Fixes + +* Create private_ipv6_egress routes only when having at least one private subnet ([#1062](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1062)) ([8701204](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/8701204c28a0ff984c5ade71400c6208c6953bfc)) + ## [5.7.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.0...v5.7.1) (2024-04-06) From da05f24c5c603a31d320d5ad92493bb39fea9f3d Mon Sep 17 00:00:00 2001 From: KevinSnyderCodes Date: Wed, 24 Apr 2024 17:29:32 -0700 Subject: [PATCH 25/41] feat: Add support for multiple route tables to public and intra subnets (#1051) Co-authored-by: Kevin Snyder Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 4 ++-- README.md | 2 ++ main.tf | 30 ++++++++++++++++++++++++------ variables.tf | 12 ++++++++++++ 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 395404e80..52094d450 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.88.0 + rev: v1.89.0 hooks: - id: terraform_fmt - id: terraform_docs @@ -24,7 +24,7 @@ repos: - '--args=--only=terraform_unused_required_providers' - id: terraform_validate - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index 127493807..3e60ca885 100644 --- a/README.md +++ b/README.md @@ -369,6 +369,8 @@ No modules. | [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no | | [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no | | [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them | `bool` | `true` | no | +| [create\_multiple\_intra\_route\_tables](#input\_create\_multiple\_intra\_route\_tables) | Indicates whether to create a separate route table for each intra subnet. Default: `false` | `bool` | `false` | no | +| [create\_multiple\_public\_route\_tables](#input\_create\_multiple\_public\_route\_tables) | Indicates whether to create a separate route table for each public subnet. Default: `false` | `bool` | `false` | no | | [create\_redshift\_subnet\_group](#input\_create\_redshift\_subnet\_group) | Controls if redshift subnet group should be created | `bool` | `true` | no | | [create\_redshift\_subnet\_route\_table](#input\_create\_redshift\_subnet\_route\_table) | Controls if separate route table for redshift should be created | `bool` | `false` | no | | [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no | diff --git a/main.tf b/main.tf index fa144b221..2c1e97f39 100644 --- a/main.tf +++ b/main.tf @@ -123,13 +123,22 @@ resource "aws_subnet" "public" { ) } +locals { + num_public_route_tables = var.create_multiple_public_route_tables ? local.len_public_subnets : 1 +} + resource "aws_route_table" "public" { - count = local.create_public_subnets ? 1 : 0 + count = local.create_public_subnets ? local.num_public_route_tables : 0 vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.public_subnet_suffix}" }, + { + "Name" = var.create_multiple_public_route_tables ? format( + "${var.name}-${var.public_subnet_suffix}-%s", + element(var.azs, count.index), + ) : "${var.name}-${var.public_subnet_suffix}" + }, var.tags, var.public_route_table_tags, ) @@ -139,7 +148,7 @@ resource "aws_route_table_association" "public" { count = local.create_public_subnets ? local.len_public_subnets : 0 subnet_id = element(aws_subnet.public[*].id, count.index) - route_table_id = aws_route_table.public[0].id + route_table_id = element(aws_route_table.public[*].id, var.create_multiple_public_route_tables ? count.index : 0) } resource "aws_route" "public_internet_gateway" { @@ -816,13 +825,22 @@ resource "aws_subnet" "intra" { ) } +locals { + num_intra_route_tables = var.create_multiple_intra_route_tables ? local.len_intra_subnets : 1 +} + resource "aws_route_table" "intra" { - count = local.create_intra_subnets ? 1 : 0 + count = local.create_intra_subnets ? local.num_intra_route_tables : 0 vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.intra_subnet_suffix}" }, + { + "Name" = var.create_multiple_intra_route_tables ? format( + "${var.name}-${var.intra_subnet_suffix}-%s", + element(var.azs, count.index), + ) : "${var.name}-${var.intra_subnet_suffix}" + }, var.tags, var.intra_route_table_tags, ) @@ -832,7 +850,7 @@ resource "aws_route_table_association" "intra" { count = local.create_intra_subnets ? local.len_intra_subnets : 0 subnet_id = element(aws_subnet.intra[*].id, count.index) - route_table_id = element(aws_route_table.intra[*].id, 0) + route_table_id = element(aws_route_table.intra[*].id, var.create_multiple_intra_route_tables ? count.index : 0) } ################################################################################ diff --git a/variables.tf b/variables.tf index ce81d687a..bd4dc3b29 100644 --- a/variables.tf +++ b/variables.tf @@ -196,6 +196,12 @@ variable "public_subnet_enable_resource_name_dns_a_record_on_launch" { default = false } +variable "create_multiple_public_route_tables" { + description = "Indicates whether to create a separate route table for each public subnet. Default: `false`" + type = bool + default = false +} + variable "public_subnet_ipv6_prefixes" { description = "Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" type = list(string) @@ -914,6 +920,12 @@ variable "intra_subnet_enable_resource_name_dns_a_record_on_launch" { default = false } +variable "create_multiple_intra_route_tables" { + description = "Indicates whether to create a separate route table for each intra subnet. Default: `false`" + type = bool + default = false +} + variable "intra_subnet_ipv6_prefixes" { description = "Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" type = list(string) From e491354b0cf1201323a4a0c6c567759512c50fdb Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 25 Apr 2024 00:30:00 +0000 Subject: [PATCH 26/41] chore(release): version 5.8.0 [skip ci] ## [5.8.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.2...v5.8.0) (2024-04-25) ### Features * Add support for multiple route tables to public and intra subnets ([#1051](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1051)) ([da05f24](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/da05f24c5c603a31d320d5ad92493bb39fea9f3d)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c757b6b0..25981d5d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.8.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.2...v5.8.0) (2024-04-25) + + +### Features + +* Add support for multiple route tables to public and intra subnets ([#1051](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1051)) ([da05f24](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/da05f24c5c603a31d320d5ad92493bb39fea9f3d)) + ## [5.7.2](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.1...v5.7.2) (2024-04-24) From cf18c37591f860908e2223b4f488787e8a5f74f3 Mon Sep 17 00:00:00 2001 From: Manuel Mazzuola <1757492+manuelmazzuola@users.noreply.github.com> Date: Fri, 26 Apr 2024 17:20:33 +0200 Subject: [PATCH 27/41] fix: Do not replace NAT gateways when additional subnets are added (#1055) fix: Do not replace nat gateways when new private subnets are added --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 2c1e97f39..32239e588 100644 --- a/main.tf +++ b/main.tf @@ -1052,7 +1052,7 @@ resource "aws_route" "private_ipv6_egress" { locals { nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length - nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : try(aws_eip.nat[*].id, []) + nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : aws_eip.nat[*].id } resource "aws_eip" "nat" { From 25322b6b6be69db6cca7f167d7b0e5327156a595 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 26 Apr 2024 15:21:02 +0000 Subject: [PATCH 28/41] chore(release): version 5.8.1 [skip ci] ## [5.8.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.0...v5.8.1) (2024-04-26) ### Bug Fixes * Do not replace NAT gateways when additional subnets are added ([#1055](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1055)) ([cf18c37](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/cf18c37591f860908e2223b4f488787e8a5f74f3)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 25981d5d9..2d08d2ade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.8.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.0...v5.8.1) (2024-04-26) + + +### Bug Fixes + +* Do not replace NAT gateways when additional subnets are added ([#1055](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1055)) ([cf18c37](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/cf18c37591f860908e2223b4f488787e8a5f74f3)) + ## [5.8.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.7.2...v5.8.0) (2024-04-25) From 4a2809c673afa13097af98c2e3c553da8db766a9 Mon Sep 17 00:00:00 2001 From: jwlogemann-mercell <164871460+jwlogemann-mercell@users.noreply.github.com> Date: Wed, 15 May 2024 18:00:12 +0200 Subject: [PATCH 29/41] docs: Updated links to examples in README (#1077) --- modules/vpc-endpoints/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index 6c0de6a46..acaaea87f 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -4,7 +4,7 @@ Terraform sub-module which creates VPC endpoint resources on AWS. ## Usage -See [`examples`](../../examples) directory for working examples to reference: +See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples) directory for working examples to reference: ```hcl module "endpoints" { @@ -48,7 +48,7 @@ module "endpoints" { ## Examples -- [Complete-VPC](../../examples/complete) with VPC Endpoints. +- [Complete-VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete) with VPC Endpoints. ## Requirements From f8cd1681837c8c4a24af6fe73035724a03e1e66e Mon Sep 17 00:00:00 2001 From: carstensh <39093356+carstensh@users.noreply.github.com> Date: Fri, 5 Jul 2024 17:55:05 +0100 Subject: [PATCH 30/41] feat: Allow custom VPC Flow Log IAM Role name and IAM Policy name (#1089) * feat: Add support for users defining the VPC IAM role name * feat: Add support for users defining the VPC IAM policy name * docs: Update README.md --- README.md | 4 ++++ examples/complete/main.tf | 10 ++++++---- examples/vpc-flow-logs/README.md | 1 + examples/vpc-flow-logs/main.tf | 29 +++++++++++++++++++++++++++++ variables.tf | 25 +++++++++++++++++++++++++ vpc-flow-logs.tf | 7 +++++-- 6 files changed, 70 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3e60ca885..d2b28a8b6 100644 --- a/README.md +++ b/README.md @@ -575,6 +575,10 @@ No modules. | [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | | [use\_ipam\_pool](#input\_use\_ipam\_pool) | Determines whether IPAM pool is used for CIDR allocation | `bool` | `false` | no | +| [vpc\_flow\_log\_iam\_policy\_name](#input\_vpc\_flow\_log\_iam\_policy\_name) | Name of the IAM policy | `string` | `"vpc-flow-log-to-cloudwatch"` | no | +| [vpc\_flow\_log\_iam\_policy\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_policy\_use\_name\_prefix) | Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix | `bool` | `true` | no | +| [vpc\_flow\_log\_iam\_role\_name](#input\_vpc\_flow\_log\_iam\_role\_name) | Name to use on the VPC Flow Log IAM role created | `string` | `"vpc-flow-log-role"` | no | +| [vpc\_flow\_log\_iam\_role\_use\_name\_prefix](#input\_vpc\_flow\_log\_iam\_role\_use\_name\_prefix) | Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix | `bool` | `true` | no | | [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no | | [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no | | [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 204489880..579a47395 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -73,10 +73,12 @@ module "vpc" { dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] # VPC Flow Logs (Cloudwatch log group and IAM role will be created) - enable_flow_log = true - create_flow_log_cloudwatch_log_group = true - create_flow_log_cloudwatch_iam_role = true - flow_log_max_aggregation_interval = 60 + vpc_flow_log_iam_role_name = "vpc-complete-example-role" + vpc_flow_log_iam_role_use_name_prefix = false + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 tags = local.tags } diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index e8b6f0d3b..f40bc01c7 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -41,6 +41,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 | | [vpc\_with\_flow\_logs\_cloudwatch\_logs](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs) | ../../ | n/a | | [vpc\_with\_flow\_logs\_cloudwatch\_logs\_default](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_default) | ../../ | n/a | +| [vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix](#module\_vpc\_with\_flow\_logs\_cloudwatch\_logs\_prefix) | ../../ | n/a | | [vpc\_with\_flow\_logs\_s3\_bucket](#module\_vpc\_with\_flow\_logs\_s3\_bucket) | ../../ | n/a | | [vpc\_with\_flow\_logs\_s3\_bucket\_parquet](#module\_vpc\_with\_flow\_logs\_s3\_bucket\_parquet) | ../../ | n/a | diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 9fee41bdf..7cd35d34f 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -83,6 +83,35 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" { vpc_flow_log_tags = local.tags } +# CloudWatch Log Group and IAM prefix +module "vpc_with_flow_logs_cloudwatch_logs_prefix" { + source = "../../" + + name = "${local.name}-cloudwatch-logs-prefix" + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 4)] + + # Cloudwatch log group and IAM role will be created + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + + vpc_flow_log_iam_role_name = "vpc-iam-prefix-example" + vpc_flow_log_iam_role_use_name_prefix = true + vpc_flow_log_iam_policy_name = "vpc-iam-prefix-example" + vpc_flow_log_iam_policy_use_name_prefix = true + + flow_log_max_aggregation_interval = 60 + flow_log_cloudwatch_log_group_name_prefix = "/aws/my-amazing-vpc-flow-logz/" + flow_log_cloudwatch_log_group_name_suffix = "my-test" + flow_log_cloudwatch_log_group_class = "INFREQUENT_ACCESS" + + vpc_flow_log_tags = local.tags +} + # CloudWatch Log Group and IAM role created separately module "vpc_with_flow_logs_cloudwatch_logs" { source = "../../" diff --git a/variables.tf b/variables.tf index bd4dc3b29..e0f31ad12 100644 --- a/variables.tf +++ b/variables.tf @@ -1478,12 +1478,37 @@ variable "enable_flow_log" { default = false } +variable "vpc_flow_log_iam_role_name" { + description = "Name to use on the VPC Flow Log IAM role created" + type = string + default = "vpc-flow-log-role" +} + +variable "vpc_flow_log_iam_role_use_name_prefix" { + description = "Determines whether the IAM role name (`vpc_flow_log_iam_role_name_name`) is used as a prefix" + type = bool + default = true +} + + variable "vpc_flow_log_permissions_boundary" { description = "The ARN of the Permissions Boundary for the VPC Flow Log IAM Role" type = string default = null } +variable "vpc_flow_log_iam_policy_name" { + description = "Name of the IAM policy" + type = string + default = "vpc-flow-log-to-cloudwatch" +} + +variable "vpc_flow_log_iam_policy_use_name_prefix" { + description = "Determines whether the name of the IAM policy (`vpc_flow_log_iam_policy_name`) is used as a prefix" + type = bool + default = true +} + variable "flow_log_max_aggregation_interval" { description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" type = number diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index e21cd11e6..88b30789c 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -58,7 +58,9 @@ resource "aws_cloudwatch_log_group" "flow_log" { resource "aws_iam_role" "vpc_flow_log_cloudwatch" { count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0 - name_prefix = "vpc-flow-log-role-" + name = var.vpc_flow_log_iam_role_use_name_prefix ? null : var.vpc_flow_log_iam_role_name + name_prefix = var.vpc_flow_log_iam_role_use_name_prefix ? "${var.vpc_flow_log_iam_role_name}-" : null + assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role[0].json permissions_boundary = var.vpc_flow_log_permissions_boundary @@ -92,7 +94,8 @@ resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" { resource "aws_iam_policy" "vpc_flow_log_cloudwatch" { count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0 - name_prefix = "vpc-flow-log-to-cloudwatch-" + name = var.vpc_flow_log_iam_policy_use_name_prefix ? null : var.vpc_flow_log_iam_policy_name + name_prefix = var.vpc_flow_log_iam_policy_use_name_prefix ? "${var.vpc_flow_log_iam_policy_name}-" : null policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch[0].json tags = merge(var.tags, var.vpc_flow_log_tags) } From 2e417ad0ce830893127476436179ef483485ae84 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 5 Jul 2024 16:55:32 +0000 Subject: [PATCH 31/41] chore(release): version 5.9.0 [skip ci] ## [5.9.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.1...v5.9.0) (2024-07-05) ### Features * Allow custom VPC Flow Log IAM Role name and IAM Policy name ([#1089](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1089)) ([f8cd168](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/f8cd1681837c8c4a24af6fe73035724a03e1e66e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d08d2ade..efe1b9d8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.9.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.1...v5.9.0) (2024-07-05) + + +### Features + +* Allow custom VPC Flow Log IAM Role name and IAM Policy name ([#1089](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1089)) ([f8cd168](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/f8cd1681837c8c4a24af6fe73035724a03e1e66e)) + ## [5.8.1](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.0...v5.8.1) (2024-04-26) From 3adb594bc794468c80a99c5c1808056a88767f45 Mon Sep 17 00:00:00 2001 From: Felix Bechstein Date: Fri, 2 Aug 2024 19:59:02 +0200 Subject: [PATCH 32/41] feat: Added ipv6_address_preferred_lease_time parameter to aws_vpc_dhcp_options resource (#1105) * feat: allow setting ipv6_address_preferred_lease_time dhcp options * chore: Update provider min required version to support change --------- Co-authored-by: Bryant Biggs --- .pre-commit-config.yaml | 2 +- README.md | 5 +++-- examples/complete/README.md | 4 ++-- examples/complete/versions.tf | 2 +- examples/ipam/README.md | 4 ++-- examples/ipam/versions.tf | 2 +- examples/ipv6-dualstack/README.md | 4 ++-- examples/ipv6-dualstack/versions.tf | 2 +- examples/ipv6-only/README.md | 4 ++-- examples/ipv6-only/versions.tf | 2 +- examples/issues/README.md | 4 ++-- examples/issues/versions.tf | 2 +- examples/manage-default-vpc/README.md | 2 +- examples/manage-default-vpc/versions.tf | 2 +- examples/network-acls/README.md | 4 ++-- examples/network-acls/versions.tf | 2 +- examples/outpost/README.md | 4 ++-- examples/outpost/versions.tf | 2 +- examples/secondary-cidr-blocks/README.md | 4 ++-- examples/secondary-cidr-blocks/versions.tf | 2 +- examples/separate-route-tables/README.md | 4 ++-- examples/separate-route-tables/versions.tf | 2 +- examples/simple/README.md | 4 ++-- examples/simple/versions.tf | 2 +- examples/vpc-flow-logs/README.md | 4 ++-- examples/vpc-flow-logs/versions.tf | 2 +- main.tf | 11 ++++++----- modules/vpc-endpoints/README.md | 4 ++-- modules/vpc-endpoints/versions.tf | 2 +- variables.tf | 6 ++++++ versions.tf | 2 +- 31 files changed, 55 insertions(+), 47 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 52094d450..3418005ed 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.89.0 + rev: v1.92.1 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index d2b28a8b6..cde28ac57 100644 --- a/README.md +++ b/README.md @@ -256,13 +256,13 @@ Full contributing [guidelines are covered here](.github/contributing.md). | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules @@ -413,6 +413,7 @@ No modules. | [default\_vpc\_tags](#input\_default\_vpc\_tags) | Additional tags for the Default VPC | `map(string)` | `{}` | no | | [dhcp\_options\_domain\_name](#input\_dhcp\_options\_domain\_name) | Specifies DNS name for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no | | [dhcp\_options\_domain\_name\_servers](#input\_dhcp\_options\_domain\_name\_servers) | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable\_dhcp\_options set to true) | `list(string)` | 
[
  "AmazonProvidedDNS"
]
| no | +| [dhcp\_options\_ipv6\_address\_preferred\_lease\_time](#input\_dhcp\_options\_ipv6\_address\_preferred\_lease\_time) | How frequently, in seconds, a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal (requires enable\_dhcp\_options set to true) | `number` | `null` | no | | [dhcp\_options\_netbios\_name\_servers](#input\_dhcp\_options\_netbios\_name\_servers) | Specify a list of netbios servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no | | [dhcp\_options\_netbios\_node\_type](#input\_dhcp\_options\_netbios\_node\_type) | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no | | [dhcp\_options\_ntp\_servers](#input\_dhcp\_options\_ntp\_servers) | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no | diff --git a/examples/complete/README.md b/examples/complete/README.md index fbe618488..7def7d8cd 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/complete/versions.tf +++ b/examples/complete/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/ipam/README.md b/examples/ipam/README.md index ce1070c5a..ce46e8091 100644 --- a/examples/ipam/README.md +++ b/examples/ipam/README.md @@ -30,13 +30,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/ipam/versions.tf b/examples/ipam/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/ipam/versions.tf +++ b/examples/ipam/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/ipv6-dualstack/README.md b/examples/ipv6-dualstack/README.md index 5b5c17c09..6ba90b025 100644 --- a/examples/ipv6-dualstack/README.md +++ b/examples/ipv6-dualstack/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/ipv6-dualstack/versions.tf b/examples/ipv6-dualstack/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/ipv6-dualstack/versions.tf +++ b/examples/ipv6-dualstack/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/ipv6-only/README.md b/examples/ipv6-only/README.md index e4fea6c43..8218895a2 100644 --- a/examples/ipv6-only/README.md +++ b/examples/ipv6-only/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/ipv6-only/versions.tf b/examples/ipv6-only/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/ipv6-only/versions.tf +++ b/examples/ipv6-only/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/issues/README.md b/examples/issues/README.md index a312e67a7..b749be57b 100644 --- a/examples/issues/README.md +++ b/examples/issues/README.md @@ -25,13 +25,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/issues/versions.tf b/examples/issues/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/issues/versions.tf +++ b/examples/issues/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index d1e70e542..4f2c26e58 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources. | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/manage-default-vpc/versions.tf +++ b/examples/manage-default-vpc/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index 477a903d2..c0809311d 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/network-acls/versions.tf +++ b/examples/network-acls/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/outpost/README.md b/examples/outpost/README.md index 8105dff04..87f5c8771 100644 --- a/examples/outpost/README.md +++ b/examples/outpost/README.md @@ -24,13 +24,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/outpost/versions.tf +++ b/examples/outpost/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index be90f2670..90632c1e7 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/secondary-cidr-blocks/versions.tf +++ b/examples/secondary-cidr-blocks/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/separate-route-tables/README.md b/examples/separate-route-tables/README.md index cd7be22ed..a5a93ab66 100644 --- a/examples/separate-route-tables/README.md +++ b/examples/separate-route-tables/README.md @@ -22,13 +22,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/separate-route-tables/versions.tf b/examples/separate-route-tables/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/separate-route-tables/versions.tf +++ b/examples/separate-route-tables/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/simple/README.md b/examples/simple/README.md index fb62fba7c..0d661f54e 100644 --- a/examples/simple/README.md +++ b/examples/simple/README.md @@ -26,13 +26,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/examples/simple/versions.tf b/examples/simple/versions.tf index 22111ba53..e1ed6107f 100644 --- a/examples/simple/versions.tf +++ b/examples/simple/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index f40bc01c7..ad984edad 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf index 6af908428..35d5770de 100644 --- a/examples/vpc-flow-logs/versions.tf +++ b/examples/vpc-flow-logs/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } random = { diff --git a/main.tf b/main.tf index 32239e588..8705c1ec8 100644 --- a/main.tf +++ b/main.tf @@ -66,11 +66,12 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" { resource "aws_vpc_dhcp_options" "this" { count = local.create_vpc && var.enable_dhcp_options ? 1 : 0 - domain_name = var.dhcp_options_domain_name - domain_name_servers = var.dhcp_options_domain_name_servers - ntp_servers = var.dhcp_options_ntp_servers - netbios_name_servers = var.dhcp_options_netbios_name_servers - netbios_node_type = var.dhcp_options_netbios_node_type + domain_name = var.dhcp_options_domain_name + domain_name_servers = var.dhcp_options_domain_name_servers + ntp_servers = var.dhcp_options_ntp_servers + netbios_name_servers = var.dhcp_options_netbios_name_servers + netbios_node_type = var.dhcp_options_netbios_node_type + ipv6_address_preferred_lease_time = var.dhcp_options_ipv6_address_preferred_lease_time tags = merge( { "Name" = var.name }, diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index acaaea87f..0747c4f49 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -56,13 +56,13 @@ module "endpoints" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.30 | +| [aws](#requirement\_aws) | >= 5.46 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.30 | +| [aws](#provider\_aws) | >= 5.46 | ## Modules diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf index 22111ba53..e1ed6107f 100644 --- a/modules/vpc-endpoints/versions.tf +++ b/modules/vpc-endpoints/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } diff --git a/variables.tf b/variables.tf index e0f31ad12..8bfae5164 100644 --- a/variables.tf +++ b/variables.tf @@ -156,6 +156,12 @@ variable "dhcp_options_netbios_node_type" { default = "" } +variable "dhcp_options_ipv6_address_preferred_lease_time" { + description = "How frequently, in seconds, a running instance with an IPv6 assigned to it goes through DHCPv6 lease renewal (requires enable_dhcp_options set to true)" + type = number + default = null +} + variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" type = map(string) diff --git a/versions.tf b/versions.tf index 22111ba53..e1ed6107f 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.30" + version = ">= 5.46" } } } From 545f4d587fa0a195c371e777e357e3fe051db775 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 2 Aug 2024 17:59:30 +0000 Subject: [PATCH 33/41] chore(release): version 5.10.0 [skip ci] ## [5.10.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.9.0...v5.10.0) (2024-08-02) ### Features * Added ipv6_address_preferred_lease_time parameter to aws_vpc_dhcp_options resource ([#1105](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1105)) ([3adb594](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/3adb594bc794468c80a99c5c1808056a88767f45)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index efe1b9d8d..3c242c30f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.10.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.9.0...v5.10.0) (2024-08-02) + + +### Features + +* Added ipv6_address_preferred_lease_time parameter to aws_vpc_dhcp_options resource ([#1105](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1105)) ([3adb594](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/3adb594bc794468c80a99c5c1808056a88767f45)) + ## [5.9.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.8.1...v5.9.0) (2024-07-05) From b3e78033bbee8346341a523f78f762ade41eb93b Mon Sep 17 00:00:00 2001 From: Andy Bohne Date: Sat, 3 Aug 2024 10:10:49 -0400 Subject: [PATCH 34/41] feat: Add route to `0.0.0.0/0` & `::/0` (when IPv6 is enabled) on all public route tables (#1100) * Fix logic for adding default route on public route tables * Apply suggestions from code review --------- Co-authored-by: Bryant Biggs --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 8705c1ec8..05b4f5e22 100644 --- a/main.tf +++ b/main.tf @@ -153,9 +153,9 @@ resource "aws_route_table_association" "public" { } resource "aws_route" "public_internet_gateway" { - count = local.create_public_subnets && var.create_igw ? 1 : 0 + count = local.create_public_subnets && var.create_igw ? local.num_public_route_tables : 0 - route_table_id = aws_route_table.public[0].id + route_table_id = aws_route_table.public[count.index].id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.this[0].id @@ -165,9 +165,9 @@ resource "aws_route" "public_internet_gateway" { } resource "aws_route" "public_internet_gateway_ipv6" { - count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? 1 : 0 + count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? local.num_public_route_tables : 0 - route_table_id = aws_route_table.public[0].id + route_table_id = aws_route_table.public[count.index].id destination_ipv6_cidr_block = "::/0" gateway_id = aws_internet_gateway.this[0].id } From 623b3e418e2fd105bc2c93d50b6121e37247f5e8 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 3 Aug 2024 14:11:16 +0000 Subject: [PATCH 35/41] chore(release): version 5.11.0 [skip ci] ## [5.11.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.10.0...v5.11.0) (2024-08-03) ### Features * Add route to `0.0.0.0/0` & `::/0` (when IPv6 is enabled) on all public route tables ([#1100](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1100)) ([b3e7803](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/b3e78033bbee8346341a523f78f762ade41eb93b)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c242c30f..e99303183 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.11.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.10.0...v5.11.0) (2024-08-03) + + +### Features + +* Add route to `0.0.0.0/0` & `::/0` (when IPv6 is enabled) on all public route tables ([#1100](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1100)) ([b3e7803](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/b3e78033bbee8346341a523f78f762ade41eb93b)) + ## [5.10.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.9.0...v5.10.0) (2024-08-02) From 92567225dc73ef939b86a241b9607cb13329fb75 Mon Sep 17 00:00:00 2001 From: evgenii-bezmaternykh <155622025+evgenii-bezmaternykh@users.noreply.github.com> Date: Sat, 3 Aug 2024 18:14:42 +0400 Subject: [PATCH 36/41] feat: Restrict flow log policy to use log group ARNs (#1088) * fix: Update AWS VPC module to use log group ARNs for flow log policy * refactor code to conditionally call AWS API based on create_vpc --------- Co-authored-by: Bryant Biggs --- README.md | 2 ++ vpc-flow-logs.tf | 16 +++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cde28ac57..220ad3e80 100644 --- a/README.md +++ b/README.md @@ -349,8 +349,10 @@ No modules. | [aws_vpn_gateway_route_propagation.intra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_vpn_gateway_route_propagation.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_vpn_gateway_route_propagation.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index 88b30789c..7697a9274 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -1,3 +1,13 @@ +data "aws_region" "current" { + # Call this API only if create_vpc and enable_flow_log are true + count = var.create_vpc && var.enable_flow_log ? 1 : 0 +} + +data "aws_caller_identity" "current" { + # Call this API only if create_vpc and enable_flow_log are true + count = var.create_vpc && var.enable_flow_log ? 1 : 0 +} + locals { # Only create flow log if user selected to create a VPC as well enable_flow_log = var.create_vpc && var.enable_flow_log @@ -8,6 +18,10 @@ locals { flow_log_destination_arn = local.create_flow_log_cloudwatch_log_group ? try(aws_cloudwatch_log_group.flow_log[0].arn, null) : var.flow_log_destination_arn flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? try(aws_iam_role.vpc_flow_log_cloudwatch[0].arn, null) : var.flow_log_cloudwatch_iam_role_arn flow_log_cloudwatch_log_group_name_suffix = var.flow_log_cloudwatch_log_group_name_suffix == "" ? local.vpc_id : var.flow_log_cloudwatch_log_group_name_suffix + flow_log_group_arns = [ + for log_group in aws_cloudwatch_log_group.flow_log : + "arn:aws:logs:${data.aws_region.current[0].name}:${data.aws_caller_identity.current[0].account_id}:log-group:${log_group.name}:*" + ] } ################################################################################ @@ -115,6 +129,6 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" { "logs:DescribeLogStreams", ] - resources = ["*"] + resources = local.flow_log_group_arns } } From fb9beb39a93effe4a6bbd35926ea1609f169e5d1 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 3 Aug 2024 14:15:11 +0000 Subject: [PATCH 37/41] chore(release): version 5.12.0 [skip ci] ## [5.12.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.11.0...v5.12.0) (2024-08-03) ### Features * Restrict flow log policy to use log group ARNs ([#1088](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1088)) ([9256722](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/92567225dc73ef939b86a241b9607cb13329fb75)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e99303183..dd1d2be57 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [5.12.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.11.0...v5.12.0) (2024-08-03) + + +### Features + +* Restrict flow log policy to use log group ARNs ([#1088](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/1088)) ([9256722](https://github.com/terraform-aws-modules/terraform-aws-vpc/commit/92567225dc73ef939b86a241b9607cb13329fb75)) + ## [5.11.0](https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v5.10.0...v5.11.0) (2024-08-03) From 5a4f1566b014d80be26dce8ec15238d46039d341 Mon Sep 17 00:00:00 2001 From: Marvin Bertram Date: Mon, 12 Aug 2024 16:17:49 +0200 Subject: [PATCH 38/41] Change naming; Add TGW att code --- examples/complete/main.tf | 2 +- examples/ipam/main.tf | 4 +- examples/ipv6-dualstack/main.tf | 2 +- examples/ipv6-only/main.tf | 2 +- examples/issues/main.tf | 6 +- examples/network-acls/main.tf | 2 +- examples/outpost/main.tf | 2 +- examples/secondary-cidr-blocks/main.tf | 2 +- examples/separate-route-tables/main.tf | 2 +- examples/simple/main.tf | 2 +- examples/vpc-flow-logs/main.tf | 10 +- main.tf | 116 +++++++------ outputs.tf | 52 +++++- tgw.tf | 216 +++++++++++++++++++++++++ variables.tf | 186 +++++++++++++++++++++ 15 files changed, 538 insertions(+), 68 deletions(-) create mode 100644 tgw.tf diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 579a47395..ccfcb4490 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -25,7 +25,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/ipam/main.tf b/examples/ipam/main.tf index d43851202..b38186d02 100644 --- a/examples/ipam/main.tf +++ b/examples/ipam/main.tf @@ -26,7 +26,7 @@ locals { module "vpc_ipam_set_netmask" { source = "../.." - name = "${local.name}-set-netmask" + name_prefix = "${local.name}-set-netmask" use_ipam_pool = true ipv4_ipam_pool_id = aws_vpc_ipam_pool.this.id @@ -46,7 +46,7 @@ module "vpc_ipam_set_netmask" { module "vpc_ipam_set_cidr" { source = "../.." - name = "${local.name}-set-cidr" + name_prefix = "${local.name}-set-cidr" use_ipam_pool = true ipv4_ipam_pool_id = aws_vpc_ipam_pool.this.id diff --git a/examples/ipv6-dualstack/main.tf b/examples/ipv6-dualstack/main.tf index d71f8fe35..b514ff83f 100644 --- a/examples/ipv6-dualstack/main.tf +++ b/examples/ipv6-dualstack/main.tf @@ -25,7 +25,7 @@ locals { module "vpc" { source = "../.." - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/ipv6-only/main.tf b/examples/ipv6-only/main.tf index ba737316d..250d0092c 100644 --- a/examples/ipv6-only/main.tf +++ b/examples/ipv6-only/main.tf @@ -22,7 +22,7 @@ locals { module "vpc" { source = "../.." - name = local.name + name_prefix = local.name azs = slice(data.aws_availability_zones.available.names, 0, 3) enable_ipv6 = true diff --git a/examples/issues/main.tf b/examples/issues/main.tf index 9e23b806f..f3272e36f 100644 --- a/examples/issues/main.tf +++ b/examples/issues/main.tf @@ -24,7 +24,7 @@ locals { module "vpc_issue_44" { source = "../../" - name = "asymmetrical" + name_prefix = "asymmetrical" cidr = "10.0.0.0/16" azs = local.azs @@ -48,7 +48,7 @@ module "vpc_issue_44" { module "vpc_issue_46" { source = "../../" - name = "no-private-subnets" + name_prefix = "no-private-subnets" cidr = "10.0.0.0/16" azs = local.azs @@ -74,7 +74,7 @@ module "vpc_issue_46" { module "vpc_issue_108" { source = "../../" - name = "route-already-exists" + name_prefix = "route-already-exists" cidr = "10.0.0.0/16" azs = local.azs diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 35c3a2211..fc2cc8243 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -174,7 +174,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/outpost/main.tf b/examples/outpost/main.tf index b65e8d75a..adf3c6df8 100644 --- a/examples/outpost/main.tf +++ b/examples/outpost/main.tf @@ -124,7 +124,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf index 5c963bb94..e4485ffc6 100644 --- a/examples/secondary-cidr-blocks/main.tf +++ b/examples/secondary-cidr-blocks/main.tf @@ -26,7 +26,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr secondary_cidr_blocks = local.secondary_cidr_blocks # can add up to 5 total CIDR blocks diff --git a/examples/separate-route-tables/main.tf b/examples/separate-route-tables/main.tf index 99cf9828f..2d661b6b5 100644 --- a/examples/separate-route-tables/main.tf +++ b/examples/separate-route-tables/main.tf @@ -25,7 +25,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 324977173..e4c5a847d 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -25,7 +25,7 @@ locals { module "vpc" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 7cd35d34f..4121dfdae 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -27,7 +27,7 @@ locals { module "vpc_with_flow_logs_s3_bucket" { source = "../../" - name = local.name + name_prefix = local.name cidr = local.vpc_cidr azs = local.azs @@ -44,7 +44,7 @@ module "vpc_with_flow_logs_s3_bucket" { module "vpc_with_flow_logs_s3_bucket_parquet" { source = "../../" - name = "${local.name}-parquet" + name_prefix = "${local.name}-parquet" cidr = local.vpc_cidr azs = local.azs @@ -63,7 +63,7 @@ module "vpc_with_flow_logs_s3_bucket_parquet" { module "vpc_with_flow_logs_cloudwatch_logs_default" { source = "../../" - name = "${local.name}-cloudwatch-logs-default" + name_prefix = "${local.name}-cloudwatch-logs-default" cidr = local.vpc_cidr azs = local.azs @@ -87,7 +87,7 @@ module "vpc_with_flow_logs_cloudwatch_logs_default" { module "vpc_with_flow_logs_cloudwatch_logs_prefix" { source = "../../" - name = "${local.name}-cloudwatch-logs-prefix" + name_prefix = "${local.name}-cloudwatch-logs-prefix" cidr = local.vpc_cidr azs = local.azs @@ -116,7 +116,7 @@ module "vpc_with_flow_logs_cloudwatch_logs_prefix" { module "vpc_with_flow_logs_cloudwatch_logs" { source = "../../" - name = "${local.name}-cloudwatch-logs" + name_prefix = "${local.name}-cloudwatch-logs" cidr = local.vpc_cidr azs = local.azs diff --git a/main.tf b/main.tf index 05b4f5e22..eb448dbb2 100644 --- a/main.tf +++ b/main.tf @@ -13,6 +13,7 @@ locals { local.len_elasticache_subnets, local.len_database_subnets, local.len_redshift_subnets, + local.len_tgw_subnets ) # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! @@ -44,7 +45,7 @@ resource "aws_vpc" "this" { enable_network_address_usage_metrics = var.enable_network_address_usage_metrics tags = merge( - { "Name" = var.name }, + { "Name" = "${var.name_prefix}-vpc${var.name_suffix}" }, var.tags, var.vpc_tags, ) @@ -74,7 +75,7 @@ resource "aws_vpc_dhcp_options" "this" { ipv6_address_preferred_lease_time = var.dhcp_options_ipv6_address_preferred_lease_time tags = merge( - { "Name" = var.name }, + { "Name" = var.name_prefix }, var.tags, var.dhcp_options_tags, ) @@ -115,7 +116,7 @@ resource "aws_subnet" "public" { { Name = try( var.public_subnet_names[count.index], - format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}-${var.public_subnet_suffix}-%s", element(var.azs, count.index)) ) }, var.tags, @@ -136,9 +137,9 @@ resource "aws_route_table" "public" { tags = merge( { "Name" = var.create_multiple_public_route_tables ? format( - "${var.name}-${var.public_subnet_suffix}-%s", + "${var.name_prefix}-${var.public_subnet_suffix}-%s", element(var.azs, count.index), - ) : "${var.name}-${var.public_subnet_suffix}" + ) : "${var.name_prefix}-${var.public_subnet_suffix}" }, var.tags, var.public_route_table_tags, @@ -183,7 +184,7 @@ resource "aws_network_acl" "public" { subnet_ids = aws_subnet.public[*].id tags = merge( - { "Name" = "${var.name}-${var.public_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-${var.public_subnet_suffix}" }, var.tags, var.public_acl_tags, ) @@ -246,11 +247,15 @@ resource "aws_subnet" "private" { private_dns_hostname_type_on_launch = var.private_subnet_private_dns_hostname_type_on_launch vpc_id = local.vpc_id + # app1-test-euc1a-az2-sub-db tags = merge( { Name = try( var.private_subnet_names[count.index], - format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}%s-%s-sub-${var.private_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + lookup(var.az_name_to_az_id, element(var.azs, count.index), "") + ) ) }, var.tags, @@ -267,9 +272,10 @@ resource "aws_route_table" "private" { tags = merge( { - "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format( - "${var.name}-${var.private_subnet_suffix}-%s", - element(var.azs, count.index), + "Name" = (var.single_nat_gateway ? "${var.name_prefix}-rtb-${var.private_subnet_suffix}" : + format("${var.name_prefix}%s-rtb-${var.private_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + ) ) }, var.tags, @@ -302,7 +308,7 @@ resource "aws_network_acl" "private" { subnet_ids = aws_subnet.private[*].id tags = merge( - { "Name" = "${var.name}-${var.private_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.private_subnet_suffix}" }, var.tags, var.private_acl_tags, ) @@ -370,7 +376,9 @@ resource "aws_subnet" "database" { { Name = try( var.database_subnet_names[count.index], - format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index), ) + format("${var.name_prefix}%s-sub-${var.database_subnet_suffix}", element(var.azs, count.index), + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + ) ) }, var.tags, @@ -381,13 +389,13 @@ resource "aws_subnet" "database" { resource "aws_db_subnet_group" "database" { count = local.create_database_subnets && var.create_database_subnet_group ? 1 : 0 - name = lower(coalesce(var.database_subnet_group_name, var.name)) - description = "Database subnet group for ${var.name}" + name = lower(coalesce(var.database_subnet_group_name, var.name_prefix)) + description = "Database subnet group for ${var.name_prefix}" subnet_ids = aws_subnet.database[*].id tags = merge( { - "Name" = lower(coalesce(var.database_subnet_group_name, var.name)) + "Name" = lower(coalesce(var.database_subnet_group_name, var.name_prefix)) }, var.tags, var.database_subnet_group_tags, @@ -401,9 +409,9 @@ resource "aws_route_table" "database" { tags = merge( { - "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name}-${var.database_subnet_suffix}" : format( - "${var.name}-${var.database_subnet_suffix}-%s", - element(var.azs, count.index), + "Name" = var.single_nat_gateway || var.create_database_internet_gateway_route ? "${var.name_prefix}-rtb-${var.database_subnet_suffix}" : format( + "${var.name_prefix}%s-rtb-${var.database_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), ) }, var.tags, @@ -484,7 +492,7 @@ resource "aws_network_acl" "database" { subnet_ids = aws_subnet.database[*].id tags = merge( - { "Name" = "${var.name}-${var.database_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.database_subnet_suffix}" }, var.tags, var.database_acl_tags, ) @@ -552,7 +560,9 @@ resource "aws_subnet" "redshift" { { Name = try( var.redshift_subnet_names[count.index], - format("${var.name}-${var.redshift_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}%s-${var.redshift_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1) + ) ) }, var.tags, @@ -563,12 +573,12 @@ resource "aws_subnet" "redshift" { resource "aws_redshift_subnet_group" "redshift" { count = local.create_redshift_subnets && var.create_redshift_subnet_group ? 1 : 0 - name = lower(coalesce(var.redshift_subnet_group_name, var.name)) - description = "Redshift subnet group for ${var.name}" + name = lower(coalesce(var.redshift_subnet_group_name, var.name_prefix)) + description = "Redshift subnet group for ${var.name_prefix}" subnet_ids = aws_subnet.redshift[*].id tags = merge( - { "Name" = coalesce(var.redshift_subnet_group_name, var.name) }, + { "Name" = coalesce(var.redshift_subnet_group_name, var.name_prefix) }, var.tags, var.redshift_subnet_group_tags, ) @@ -580,7 +590,7 @@ resource "aws_route_table" "redshift" { vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-rtb-${var.redshift_subnet_suffix}" }, var.tags, var.redshift_route_table_tags, ) @@ -621,7 +631,7 @@ resource "aws_network_acl" "redshift" { subnet_ids = aws_subnet.redshift[*].id tags = merge( - { "Name" = "${var.name}-${var.redshift_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.redshift_subnet_suffix}" }, var.tags, var.redshift_acl_tags, ) @@ -689,7 +699,9 @@ resource "aws_subnet" "elasticache" { { Name = try( var.elasticache_subnet_names[count.index], - format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}%s-${var.elasticache_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1) + ) ) }, var.tags, @@ -700,12 +712,12 @@ resource "aws_subnet" "elasticache" { resource "aws_elasticache_subnet_group" "elasticache" { count = local.create_elasticache_subnets && var.create_elasticache_subnet_group ? 1 : 0 - name = coalesce(var.elasticache_subnet_group_name, var.name) - description = "ElastiCache subnet group for ${var.name}" + name = coalesce(var.elasticache_subnet_group_name, var.name_prefix) + description = "ElastiCache subnet group for ${var.name_prefix}" subnet_ids = aws_subnet.elasticache[*].id tags = merge( - { "Name" = coalesce(var.elasticache_subnet_group_name, var.name) }, + { "Name" = coalesce(var.elasticache_subnet_group_name, var.name_prefix) }, var.tags, var.elasticache_subnet_group_tags, ) @@ -717,7 +729,7 @@ resource "aws_route_table" "elasticache" { vpc_id = local.vpc_id tags = merge( - { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-rtb-${var.elasticache_subnet_suffix}" }, var.tags, var.elasticache_route_table_tags, ) @@ -751,7 +763,7 @@ resource "aws_network_acl" "elasticache" { subnet_ids = aws_subnet.elasticache[*].id tags = merge( - { "Name" = "${var.name}-${var.elasticache_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.elasticache_subnet_suffix}" }, var.tags, var.elasticache_acl_tags, ) @@ -818,7 +830,9 @@ resource "aws_subnet" "intra" { { Name = try( var.intra_subnet_names[count.index], - format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}%s-sub-${var.intra_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1) + ) ) }, var.tags, @@ -838,9 +852,9 @@ resource "aws_route_table" "intra" { tags = merge( { "Name" = var.create_multiple_intra_route_tables ? format( - "${var.name}-${var.intra_subnet_suffix}-%s", - element(var.azs, count.index), - ) : "${var.name}-${var.intra_subnet_suffix}" + "${var.name_prefix}%s-${var.intra_subnet_suffix}-%s", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + ) : "${var.name_prefix}-rtb-${var.intra_subnet_suffix}" }, var.tags, var.intra_route_table_tags, @@ -869,7 +883,7 @@ resource "aws_network_acl" "intra" { subnet_ids = aws_subnet.intra[*].id tags = merge( - { "Name" = "${var.name}-${var.intra_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.intra_subnet_suffix}" }, var.tags, var.intra_acl_tags, ) @@ -938,7 +952,7 @@ resource "aws_subnet" "outpost" { { Name = try( var.outpost_subnet_names[count.index], - format("${var.name}-${var.outpost_subnet_suffix}-%s", var.outpost_az) + format("${var.name_prefix}-%s-sub-${var.outpost_subnet_suffix}", var.outpost_az) ) }, var.tags, @@ -971,7 +985,7 @@ resource "aws_network_acl" "outpost" { subnet_ids = aws_subnet.outpost[*].id tags = merge( - { "Name" = "${var.name}-${var.outpost_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.outpost_subnet_suffix}" }, var.tags, var.outpost_acl_tags, ) @@ -1021,7 +1035,7 @@ resource "aws_internet_gateway" "this" { vpc_id = local.vpc_id tags = merge( - { "Name" = var.name }, + { "Name" = "${var.name_prefix}-igw" }, var.tags, var.igw_tags, ) @@ -1033,7 +1047,7 @@ resource "aws_egress_only_internet_gateway" "this" { vpc_id = local.vpc_id tags = merge( - { "Name" = var.name }, + { "Name" = "${var.name_prefix}-eigw" }, var.tags, var.igw_tags, ) @@ -1064,8 +1078,10 @@ resource "aws_eip" "nat" { tags = merge( { "Name" = format( - "${var.name}-%s", - element(var.azs, var.single_nat_gateway ? 0 : count.index), + "${var.name_prefix}%s-eip", + substr(element(var.azs, var.single_nat_gateway ? 0 : count.index), + length(element(var.azs, var.single_nat_gateway ? 0 : count.index)) - 1, 1 + ) ) }, var.tags, @@ -1090,8 +1106,10 @@ resource "aws_nat_gateway" "this" { tags = merge( { "Name" = format( - "${var.name}-%s", - element(var.azs, var.single_nat_gateway ? 0 : count.index), + "${var.name_prefix}%s-natgw", + substr(element(var.azs, var.single_nat_gateway ? 0 : count.index), + length(element(var.azs, var.single_nat_gateway ? 0 : count.index)) - 1, 1 + ) ) }, var.tags, @@ -1138,7 +1156,7 @@ resource "aws_customer_gateway" "this" { type = "ipsec.1" tags = merge( - { Name = "${var.name}-${each.key}" }, + { Name = "${var.name_prefix}-${each.key}" }, var.tags, var.customer_gateway_tags, ) @@ -1160,7 +1178,7 @@ resource "aws_vpn_gateway" "this" { availability_zone = var.vpn_gateway_az tags = merge( - { "Name" = var.name }, + { "Name" = "${var.name_prefix}-vpngw" }, var.tags, var.vpn_gateway_tags, ) @@ -1265,7 +1283,7 @@ resource "aws_default_security_group" "this" { } tags = merge( - { "Name" = coalesce(var.default_security_group_name, "${var.name}-default") }, + { "Name" = coalesce(var.default_security_group_name, "${var.name_prefix}-sg-default") }, var.tags, var.default_security_group_tags, ) @@ -1314,7 +1332,7 @@ resource "aws_default_network_acl" "this" { } tags = merge( - { "Name" = coalesce(var.default_network_acl_name, "${var.name}-default") }, + { "Name" = coalesce(var.default_network_acl_name, "${var.name_prefix}-nacl-default") }, var.tags, var.default_network_acl_tags, ) @@ -1359,7 +1377,7 @@ resource "aws_default_route_table" "default" { } tags = merge( - { "Name" = coalesce(var.default_route_table_name, "${var.name}-default") }, + { "Name" = coalesce(var.default_route_table_name, "${var.name_prefix}-rtb-default") }, var.tags, var.default_route_table_tags, ) diff --git a/outputs.tf b/outputs.tf index a98c65c98..2e59a02cd 100644 --- a/outputs.tf +++ b/outputs.tf @@ -2,6 +2,7 @@ locals { redshift_route_table_ids = aws_route_table.redshift[*].id public_route_table_ids = aws_route_table.public[*].id private_route_table_ids = aws_route_table.private[*].id + tgw_route_table_ids = aws_route_table.tgw[*].id } ################################################################################ @@ -625,7 +626,7 @@ output "azs" { output "name" { description = "The name of the VPC specified as argument to this module" - value = var.name + value = var.name_prefix } ################################################################################ @@ -660,3 +661,52 @@ output "database_subnets_az_ids" { description = "List of AZ IDs of database subnets" value = aws_subnet.database[*].availability_zone_id } + +################################################################################ +# TGW Subnets +################################################################################ + +output "tgw_subnets" { + description = "List of IDs of tgw subnets" + value = aws_subnet.tgw[*].id +} + +output "tgw_subnet_arns" { + description = "List of ARNs of tgw subnets" + value = aws_subnet.tgw[*].arn +} + +output "tgw_subnets_cidr_blocks" { + description = "List of cidr_blocks of tgw subnets" + value = compact(aws_subnet.tgw[*].cidr_block) +} + +output "tgw_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of tgw subnets in an IPv6 enabled VPC" + value = compact(aws_subnet.tgw[*].ipv6_cidr_block) +} + +output "tgw_route_table_ids" { + description = "List of IDs of tgw route tables" + value = local.tgw_route_table_ids +} + +output "tgw_route_table_association_ids" { + description = "List of IDs of the tgw route table association" + value = aws_route_table_association.tgw[*].id +} + +output "tgw_network_acl_id" { + description = "ID of the tgw network ACL" + value = try(aws_network_acl.tgw[0].id, null) +} + +output "tgw_network_acl_arn" { + description = "ARN of the tgw network ACL" + value = try(aws_network_acl.tgw[0].arn, null) +} + +output "aws_ec2_transit_gateway_vpc_attachment_id" { + description = "ID of the TGW attachment" + value = try(aws_ec2_transit_gateway_vpc_attachment.tgw[0].id, null) +} diff --git a/tgw.tf b/tgw.tf new file mode 100644 index 000000000..d56d56458 --- /dev/null +++ b/tgw.tf @@ -0,0 +1,216 @@ +################################################################################ +# TGW Subnets +################################################################################ + +locals { + len_tgw_subnets = max(length(var.tgw_subnets), length(var.private_subnet_ipv6_prefixes)) + create_tgw_subnets = local.create_vpc && local.len_tgw_subnets > 0 + + # support variables for transit_gateway_routes + subnets_tgw_routed = keys(var.transit_gateway_routes) +} + +resource "aws_subnet" "tgw" { + count = local.create_tgw_subnets ? local.len_tgw_subnets : 0 + + assign_ipv6_address_on_creation = var.enable_ipv6 && var.tgw_subnet_ipv6_native ? true : var.tgw_subnet_assign_ipv6_address_on_creation + availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null + availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null + cidr_block = var.tgw_subnet_ipv6_native ? null : element(concat(var.tgw_subnets, [""]), count.index) + enable_dns64 = var.enable_ipv6 && var.tgw_subnet_enable_dns64 + enable_resource_name_dns_aaaa_record_on_launch = var.enable_ipv6 && var.tgw_subnet_enable_resource_name_dns_aaaa_record_on_launch + enable_resource_name_dns_a_record_on_launch = !var.tgw_subnet_ipv6_native && var.tgw_subnet_enable_resource_name_dns_a_record_on_launch + ipv6_cidr_block = var.enable_ipv6 && length(var.tgw_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.tgw_subnet_ipv6_prefixes[count.index]) : null + ipv6_native = var.enable_ipv6 && var.tgw_subnet_ipv6_native + private_dns_hostname_type_on_launch = var.tgw_subnet_private_dns_hostname_type_on_launch + vpc_id = local.vpc_id + + #substr(var.input_string, local.string_length - 1, 1) + + tags = merge( + { + Name = try( + var.tgw_subnet_names[count.index], + format("${var.name_prefix}%s-sub-${var.tgw_subnet_suffix}", substr(element(var.azs, count.index),length(element(var.azs, count.index)) - 1 , 1) + ) + ) + }, + var.tags, + var.tgw_subnet_tags, + lookup(var.tgw_subnet_tags_per_az, element(var.azs, count.index), {}) + ) +} + +# There are as many routing tables as the number of NAT gateways +resource "aws_route_table" "tgw" { + count = local.create_tgw_subnets && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway ? "${var.name_prefix}-${var.tgw_subnet_suffix}" : format( + "${var.name_prefix}%s-rtb-${var.tgw_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1) + ) + }, + var.tags, + var.tgw_route_table_tags, + ) +} + +resource "aws_route_table_association" "tgw" { + count = local.create_tgw_subnets ? local.len_tgw_subnets : 0 + + subnet_id = element(aws_subnet.tgw[*].id, count.index) + route_table_id = element( + aws_route_table.tgw[*].id, + var.single_nat_gateway ? 0 : count.index, + ) +} + +################################################################################ +# TGW Network ACLs +################################################################################ + +locals { + tgw_network_acl = local.create_tgw_subnets && var.tgw_dedicated_network_acl +} + +resource "aws_network_acl" "tgw" { + count = local.tgw_network_acl ? 1 : 0 + + vpc_id = local.vpc_id + subnet_ids = aws_subnet.tgw[*].id + + tags = merge( + { "Name" = "${var.name_prefix}-nacl-${var.tgw_subnet_suffix}" }, + var.tags, + var.tgw_acl_tags, + ) +} + +resource "aws_network_acl_rule" "tgw_inbound" { + count = local.tgw_network_acl ? length(var.tgw_inbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.private[0].id + + egress = false + rule_number = var.tgw_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.tgw_inbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.tgw_inbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.tgw_inbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.tgw_inbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.tgw_inbound_acl_rules[count.index], "icmp_type", null) + protocol = var.tgw_inbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.tgw_inbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.tgw_inbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +resource "aws_network_acl_rule" "tgw_outbound" { + count = local.tgw_network_acl ? length(var.tgw_outbound_acl_rules) : 0 + + network_acl_id = aws_network_acl.tgw[0].id + + egress = true + rule_number = var.tgw_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.tgw_outbound_acl_rules[count.index]["rule_action"] + from_port = lookup(var.tgw_outbound_acl_rules[count.index], "from_port", null) + to_port = lookup(var.tgw_outbound_acl_rules[count.index], "to_port", null) + icmp_code = lookup(var.tgw_outbound_acl_rules[count.index], "icmp_code", null) + icmp_type = lookup(var.tgw_outbound_acl_rules[count.index], "icmp_type", null) + protocol = var.tgw_outbound_acl_rules[count.index]["protocol"] + cidr_block = lookup(var.tgw_outbound_acl_rules[count.index], "cidr_block", null) + ipv6_cidr_block = lookup(var.tgw_outbound_acl_rules[count.index], "ipv6_cidr_block", null) +} + +# Transit Gateway VPC attachment +resource "aws_ec2_transit_gateway_vpc_attachment" "tgw" { + count = var.enable_tgw_attachment ? 1 : 0 + + subnet_ids = aws_subnet.tgw[*].id + transit_gateway_id = var.transit_gateway_id + vpc_id = local.vpc_id + + tags = merge( + { Name = "${var.name_prefix}-tgw-att" } + ) +} + +resource "aws_route" "tgw_nat_gateway" { + count = local.create_vpc && var.enable_tgw_nat_gateway ? local.nat_gateway_count : 0 + + route_table_id = element(aws_route_table.tgw[*].id, count.index) + destination_cidr_block = var.nat_gateway_destination_cidr_block + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} + +resource "aws_route" "tgw_dns64_nat_gateway" { + count = local.create_vpc && var.enable_tgw_nat_gateway && var.enable_ipv6 && var.tgw_subnet_enable_dns64 ? local.nat_gateway_count : 0 + + route_table_id = element(aws_route_table.tgw[*].id, count.index) + destination_ipv6_cidr_block = "64:ff9b::/96" + nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index) + + timeouts { + create = "5m" + } + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} + +# Route: IPv4 routes from public subnets to the Transit Gateway (if configured in var.transit_gateway_routes) +resource "aws_route" "public_to_tgw" { + count = (local.create_public_subnets && contains(local.subnets_tgw_routed, "public")) ? (var.enable_nat_gateway ? length(var.azs) : 1) : 0 + + destination_cidr_block = can(regex("^pl-", var.transit_gateway_routes["public"])) ? null : var.transit_gateway_routes["public"] + destination_prefix_list_id = can(regex("^pl-", var.transit_gateway_routes["public"])) ? var.transit_gateway_routes["public"] : null + + transit_gateway_id = var.transit_gateway_id + route_table_id = element(aws_route_table.public[*].id, count.index) + + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} + +# Route: IPv4 routes from private subnets to the Transit Gateway (if configured in var.transit_gateway_routes) +resource "aws_route" "private_to_tgw" { + count = (local.create_private_subnets && contains(local.subnets_tgw_routed, "private")) ? length(var.azs) : 0 + + destination_cidr_block = can(regex("^pl-", var.transit_gateway_routes["private"])) ? null : var.transit_gateway_routes["private"] + destination_prefix_list_id = can(regex("^pl-", var.transit_gateway_routes["private"])) ? var.transit_gateway_routes["private"] : null + + transit_gateway_id = var.transit_gateway_id + route_table_id = element(aws_route_table.private[*].id, count.index) + + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} + +# Route: IPv4 routes from intra subnets to the Transit Gateway (if configured in var.transit_gateway_routes) +resource "aws_route" "intra_to_tgw" { + count = (local.create_intra_subnets && contains(local.subnets_tgw_routed, "intra")) ? length(var.azs) : 0 + + destination_cidr_block = can(regex("^pl-", var.transit_gateway_routes["intra"])) ? null : var.transit_gateway_routes["intra"] + destination_prefix_list_id = can(regex("^pl-", var.transit_gateway_routes["intra"])) ? var.transit_gateway_routes["intra"] : null + + transit_gateway_id = var.transit_gateway_id + route_table_id = element(aws_route_table.intra[*].id, count.index) + + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} + +# Route: IPv4 routes from public subnets to the Transit Gateway (if configured in var.transit_gateway_routes) +resource "aws_route" "database_to_tgw" { + count = (local.create_database_subnets && contains(local.subnets_tgw_routed, "database")) ? length(var.azs) : 0 + + destination_cidr_block = can(regex("^pl-", var.transit_gateway_routes["database"])) ? null : var.transit_gateway_routes["database"] + destination_prefix_list_id = can(regex("^pl-", var.transit_gateway_routes["database"])) ? var.transit_gateway_routes["database"] : null + + transit_gateway_id = var.transit_gateway_id + route_table_id = element(aws_route_table.database[*].id, count.index) + + depends_on = [aws_ec2_transit_gateway_vpc_attachment.tgw] +} diff --git a/variables.tf b/variables.tf index 8bfae5164..8e72a4936 100644 --- a/variables.tf +++ b/variables.tf @@ -14,6 +14,18 @@ variable "name" { default = "" } +variable "name_prefix" { + description = "Name to be used on all the resources as identifier" + type = string + default = "" +} + +variable "name_suffix" { + description = "Suffix for more detailed resource description" + type = string + default = "" +} + variable "cidr" { description = "(Optional) The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using `ipv4_netmask_length` & `ipv4_ipam_pool_id`" type = string @@ -38,6 +50,12 @@ variable "azs" { default = [] } +variable "az_name_to_az_id" { + description = "A map of availability zones names to ids in the account" + type = map(string) + default = {} +} + variable "enable_dns_hostnames" { description = "Should be true to enable DNS hostnames in the VPC" type = bool @@ -1240,6 +1258,12 @@ variable "nat_eip_tags" { default = {} } +variable "enable_tgw_nat_gateway" { + description = "Should be true if you want to provision NAT Gateways for each of your TGW networks" + type = bool + default = false +} + ################################################################################ # Customer Gateways ################################################################################ @@ -1638,3 +1662,165 @@ variable "putin_khuylo" { type = bool default = true } + +################################################################################ +# Transit Gateway +################################################################################ + +variable "transit_gateway_id" { + type = string + description = "Transit gateway id to attach the VPC to. Required when `transit_gateway` subnet is defined." + default = null +} + +variable "transit_gateway_routes" { + description = <<-EOF + Configuration of route(s) to transit gateway. + For each `public` and/or `private` subnets named in the `subnets` variable, + Optionally create routes from the subnet to transit gateway. Specify the CIDR range or a + prefix-list-id that you want routed to the transit gateway. + Example: + ``` + transit_gateway_routes = { + public = "10.0.0.0/8" + private = "pl-123" + } + ``` +EOF + type = any + default = {} +} + +################################################################################ +# TGW Subnets +################################################################################ + +variable "enable_tgw_attachment" { + description = "Enable Transit Gateway Attachment" + type = bool + default = false +} + +variable "tgw_subnets" { + description = "A list of tgw subnets inside the VPC" + type = list(string) + default = [] +} + +variable "tgw_subnet_assign_ipv6_address_on_creation" { + description = "Specify true to indicate that network interfaces created in the specified subnet should be assigned an IPv6 address. Default is `false`" + type = bool + default = false +} + +variable "tgw_subnet_enable_dns64" { + description = "Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: `true`" + type = bool + default = true +} + +variable "tgw_subnet_enable_resource_name_dns_aaaa_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: `true`" + type = bool + default = true +} + +variable "tgw_subnet_enable_resource_name_dns_a_record_on_launch" { + description = "Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: `false`" + type = bool + default = false +} + +variable "tgw_subnet_ipv6_prefixes" { + description = "Assigns IPv6 tgw subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list" + type = list(string) + default = [] +} + +variable "tgw_subnet_ipv6_native" { + description = "Indicates whether to create an IPv6-only subnet. Default: `false`" + type = bool + default = false +} + +variable "tgw_subnet_private_dns_hostname_type_on_launch" { + description = "The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name`" + type = string + default = null +} + +variable "tgw_subnet_names" { + description = "Explicit values to use in the Name tag on tgw subnets. If empty, Name tags are generated" + type = list(string) + default = [] +} + +variable "tgw_subnet_suffix" { + description = "Suffix to append to tgw subnets name" + type = string + default = "tgw" +} + +variable "tgw_subnet_tags" { + description = "Additional tags for the tgw subnets" + type = map(string) + default = {} +} + +variable "tgw_subnet_tags_per_az" { + description = "Additional tags for the tgw subnets where the primary key is the AZ" + type = map(map(string)) + default = {} +} + +variable "tgw_route_table_tags" { + description = "Additional tags for the tgw route tables" + type = map(string) + default = {} +} + +################################################################################ +# TGW Network ACLs +################################################################################ + +variable "tgw_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for tgw subnets" + type = bool + default = false +} + +variable "tgw_inbound_acl_rules" { + description = "TGW subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "tgw_outbound_acl_rules" { + description = "TGW subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "tgw_acl_tags" { + description = "Additional tags for the tgw subnets network ACL" + type = map(string) + default = {} +} From 9745b001fd522189191214f4b1807f8347eaf0de Mon Sep 17 00:00:00 2001 From: Marvin Bertram Date: Wed, 14 Aug 2024 18:08:09 +0200 Subject: [PATCH 39/41] Update naming for resources --- main.tf | 13 ++++++++----- tgw.tf | 4 +++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index eb448dbb2..ed001e593 100644 --- a/main.tf +++ b/main.tf @@ -116,7 +116,10 @@ resource "aws_subnet" "public" { { Name = try( var.public_subnet_names[count.index], - format("${var.name_prefix}-${var.public_subnet_suffix}-%s", element(var.azs, count.index)) + format("${var.name_prefix}%s-%s-sub-${var.public_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + lookup(var.az_name_to_az_id, element(var.azs, count.index), "") + ) ) }, var.tags, @@ -137,9 +140,9 @@ resource "aws_route_table" "public" { tags = merge( { "Name" = var.create_multiple_public_route_tables ? format( - "${var.name_prefix}-${var.public_subnet_suffix}-%s", - element(var.azs, count.index), - ) : "${var.name_prefix}-${var.public_subnet_suffix}" + "${var.name_prefix}%s-rtb-${var.public_subnet_suffix}", + substr(element(var.azs, count.index), length(element(var.azs, count.index)) - 1, 1), + ) : "${var.name_prefix}-rtb-${var.public_subnet_suffix}" }, var.tags, var.public_route_table_tags, @@ -184,7 +187,7 @@ resource "aws_network_acl" "public" { subnet_ids = aws_subnet.public[*].id tags = merge( - { "Name" = "${var.name_prefix}-${var.public_subnet_suffix}" }, + { "Name" = "${var.name_prefix}-nacl-${var.public_subnet_suffix}" }, var.tags, var.public_acl_tags, ) diff --git a/tgw.tf b/tgw.tf index d56d56458..a2eff7a7e 100644 --- a/tgw.tf +++ b/tgw.tf @@ -31,7 +31,9 @@ resource "aws_subnet" "tgw" { { Name = try( var.tgw_subnet_names[count.index], - format("${var.name_prefix}%s-sub-${var.tgw_subnet_suffix}", substr(element(var.azs, count.index),length(element(var.azs, count.index)) - 1 , 1) + format("${var.name_prefix}%s-%s-sub-${var.tgw_subnet_suffix}", + substr(element(var.azs, count.index),length(element(var.azs, count.index)) - 1 , 1), + lookup(var.az_name_to_az_id, element(var.azs, count.index), "") ) ) }, From 77d617aed4d08b0adfcb5399f39f168174e52382 Mon Sep 17 00:00:00 2001 From: Pedro Coelho <148069533+plcoelho@users.noreply.github.com> Date: Thu, 15 Aug 2024 15:55:20 +0200 Subject: [PATCH 40/41] Update config.yml --- .spacelift/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.spacelift/config.yml b/.spacelift/config.yml index 4aae5459a..9b5c5ac89 100644 --- a/.spacelift/config.yml +++ b/.spacelift/config.yml @@ -1,2 +1,2 @@ version: 1 -module_version: 5.1.1 +module_version: 5.12.1 From 34286aff738d79332dfc7a6c8967a54a1b19d223 Mon Sep 17 00:00:00 2001 From: Pedro Coelho <148069533+plcoelho@users.noreply.github.com> Date: Thu, 15 Aug 2024 15:58:45 +0200 Subject: [PATCH 41/41] Update config.yml --- .spacelift/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.spacelift/config.yml b/.spacelift/config.yml index 9b5c5ac89..ce65ee521 100644 --- a/.spacelift/config.yml +++ b/.spacelift/config.yml @@ -1,2 +1,2 @@ version: 1 -module_version: 5.12.1 +module_version: 1.0.0