# module "vpc" { # source = "terraform-aws-modules/vpc/aws" # name = "my-vpc" # cidr = "10.0.0.0/16" # azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] # private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] # public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] # enable_nat_gateway = true # enable_vpn_gateway = true # tags = { # Terraform = "true" # Environment = "dev" # } # } locals { name = "ex-${replace(basename(path.cwd), "_", "-")}" region = "eu-west-1" tags = { Example = local.name GithubRepo = "terraform-aws-vpc" GithubOrg = "terraform-aws-modules" } } ################################################################################ # VPC Module ################################################################################ module "vpc" { source = "terraform-aws-modules/vpc/aws" name = local.name cidr = "10.0.0.0/16" azs = ["${local.region}a", "${local.region}b"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.3.0/24", "10.0.4.0/24"] create_database_subnet_group = false manage_default_network_acl = true default_network_acl_tags = { Name = "${local.name}-default" } manage_default_route_table = true default_route_table_tags = { Name = "${local.name}-default" } manage_default_security_group = true default_security_group_tags = { Name = "${local.name}-default" } enable_dns_hostnames = true enable_dns_support = true enable_nat_gateway = true single_nat_gateway = true # enable_vpn_gateway = false # enable_dhcp_options = false # enable_flow_log = true # create_flow_log_cloudwatch_log_group = true # create_flow_log_cloudwatch_iam_role = true # flow_log_max_aggregation_interval = 60 tags = local.tags } module "vpc_endpoints" { source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" vpc_id = module.vpc.vpc_id security_group_ids = [data.aws_security_group.default.id] endpoints = { dynamodb = { service = "dynamodb" service_type = "Gateway" route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids]) policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json tags = { Name = "dynamodb-vpc-endpoint" } }, lambda = { service = "lambda" private_dns_enabled = true subnet_ids = module.vpc.private_subnets }, ses = { service = "ses" subnet_ids = ["subnet-12345678", "subnet-87654321"] tags = { Name = "ses-vpc-endpoint" } }, } tags = merge(local.tags, { Project = "Secret" Endpoint = "true" }) } module "vpc_endpoints_nocreate" { source = "../../modules/vpc-endpoints" create = false } ################################################################################ # Supporting Resources ################################################################################ data "aws_security_group" "default" { name = "default" vpc_id = module.vpc.vpc_id } data "aws_iam_policy_document" "dynamodb_endpoint_policy" { statement { effect = "Deny" actions = ["dynamodb:*"] resources = ["*"] principals { type = "*" identifiers = ["*"] } condition { test = "StringNotEquals" variable = "aws:sourceVpce" values = [module.vpc.vpc_id] } } } data "aws_iam_policy_document" "generic_endpoint_policy" { statement { effect = "Deny" actions = ["*"] resources = ["*"] principals { type = "*" identifiers = ["*"] } condition { test = "StringNotEquals" variable = "aws:SourceVpc" values = [module.vpc.vpc_id] } } } resource "aws_security_group" "vpc_tls" { name_prefix = "${local.name}-vpc_tls" description = "Allow TLS inbound traffic" vpc_id = module.vpc.vpc_id ingress { description = "TLS from VPC" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [module.vpc.vpc_cidr_block] } tags = local.tags }