diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23497e143..1439c3f4f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,7 +3,7 @@ repos: rev: v1.11.0 hooks: - id: terraform_fmt - - id: terraform_docs +# - id: terraform_docs # not yet compatible with Terraform 0.12 - repo: git://github.com/pre-commit/pre-commit-hooks rev: v2.2.3 hooks: diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 2d5d71183..f51519a87 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -45,52 +45,52 @@ module "vpc" { # VPC endpoint for SSM enable_ssm_endpoint = true ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ssm_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for SSMMESSAGES enable_ssmmessages_endpoint = true ssmmessages_endpoint_private_dns_enabled = true - ssmmessages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ssmmessages_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for EC2 enable_ec2_endpoint = true ec2_endpoint_private_dns_enabled = true - ec2_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ec2_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for EC2MESSAGES enable_ec2messages_endpoint = true ec2messages_endpoint_private_dns_enabled = true - ec2messages_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ec2messages_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for ECR API enable_ecr_api_endpoint = true ecr_api_endpoint_private_dns_enabled = true - ecr_api_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecr_api_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC Endpoint for ECR DKR enable_ecr_dkr_endpoint = true ecr_dkr_endpoint_private_dns_enabled = true - ecr_dkr_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecr_dkr_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for KMS enable_kms_endpoint = true kms_endpoint_private_dns_enabled = true - kms_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + kms_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for ECS enable_ecs_endpoint = true ecs_endpoint_private_dns_enabled = true - ecs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecs_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for ECS telemetry enable_ecs_telemetry_endpoint = true ecs_telemetry_endpoint_private_dns_enabled = true - ecs_telemetry_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + ecs_telemetry_endpoint_security_group_ids = [data.aws_security_group.default.id] # VPC endpoint for SQS enable_sqs_endpoint = true sqs_endpoint_private_dns_enabled = true - sqs_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + sqs_endpoint_security_group_ids = [data.aws_security_group.default.id] tags = { Owner = "user" @@ -98,3 +98,4 @@ module "vpc" { Name = "complete" } } + diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index 871359d39..db1fef127 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -1,60 +1,60 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } output "redshift_subnets" { description = "List of IDs of redshift subnets" - value = ["${module.vpc.redshift_subnets}"] + value = module.vpc.redshift_subnets } output "intra_subnets" { description = "List of IDs of intra subnets" - value = ["${module.vpc.intra_subnets}"] + value = module.vpc.intra_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # VPC endpoints output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" - value = "${module.vpc.vpc_endpoint_ssm_id}" + value = module.vpc.vpc_endpoint_ssm_id } output "vpc_endpoint_ssm_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSM." - value = ["${module.vpc.vpc_endpoint_ssm_network_interface_ids}"] + value = module.vpc.vpc_endpoint_ssm_network_interface_ids } output "vpc_endpoint_ssm_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSM." - value = ["${module.vpc.vpc_endpoint_ssm_dns_entry}"] + value = module.vpc.vpc_endpoint_ssm_dns_entry } // @@ -73,4 +73,3 @@ output "vpc_endpoint_ssm_dns_entry" { // description = "The DNS entries for the VPC Endpoint for EC2." // value = ["${module.vpc.vpc_endpoint_ec2_dns_entry}"] //} - diff --git a/examples/issue-108-route-already-exists/main.tf b/examples/issue-108-route-already-exists/main.tf index 199b47a9f..74f0af0c6 100644 --- a/examples/issue-108-route-already-exists/main.tf +++ b/examples/issue-108-route-already-exists/main.tf @@ -19,3 +19,4 @@ module "vpc" { enable_s3_endpoint = true enable_dynamodb_endpoint = true } + diff --git a/examples/issue-108-route-already-exists/outputs.tf b/examples/issue-108-route-already-exists/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-108-route-already-exists/outputs.tf +++ b/examples/issue-108-route-already-exists/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/issue-224-vpcendpoint-apigw/main.tf b/examples/issue-224-vpcendpoint-apigw/main.tf index 252f885e7..2ae222af1 100644 --- a/examples/issue-224-vpcendpoint-apigw/main.tf +++ b/examples/issue-224-vpcendpoint-apigw/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -19,7 +19,7 @@ module "vpc" { # VPC endpoint for API gateway enable_apigw_endpoint = true - apigw_endpoint_security_group_ids = ["${data.aws_security_group.default.id}"] + apigw_endpoint_security_group_ids = [data.aws_security_group.default.id] apigw_endpoint_private_dns_enabled = true tags = { @@ -28,3 +28,4 @@ module "vpc" { Name = "test-224" } } + diff --git a/examples/issue-44-asymmetric-private-subnets/main.tf b/examples/issue-44-asymmetric-private-subnets/main.tf index 1a1c4cf0c..07f3f0fe7 100644 --- a/examples/issue-44-asymmetric-private-subnets/main.tf +++ b/examples/issue-44-asymmetric-private-subnets/main.tf @@ -25,3 +25,4 @@ module "vpc" { Name = "asymmetrical" } } + diff --git a/examples/issue-44-asymmetric-private-subnets/outputs.tf b/examples/issue-44-asymmetric-private-subnets/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-44-asymmetric-private-subnets/outputs.tf +++ b/examples/issue-44-asymmetric-private-subnets/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/issue-46-no-private-subnets/main.tf b/examples/issue-46-no-private-subnets/main.tf index 8cb816e4c..e9e5ec517 100644 --- a/examples/issue-46-no-private-subnets/main.tf +++ b/examples/issue-46-no-private-subnets/main.tf @@ -23,3 +23,4 @@ module "vpc" { Name = "no-private-subnets" } } + diff --git a/examples/issue-46-no-private-subnets/outputs.tf b/examples/issue-46-no-private-subnets/outputs.tf index 26f69ebd4..51b4e83b7 100644 --- a/examples/issue-46-no-private-subnets/outputs.tf +++ b/examples/issue-46-no-private-subnets/outputs.tf @@ -1,32 +1,33 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/manage-default-vpc/main.tf b/examples/manage-default-vpc/main.tf index 73da2c763..5f645dd8e 100644 --- a/examples/manage-default-vpc/main.tf +++ b/examples/manage-default-vpc/main.tf @@ -11,3 +11,4 @@ module "vpc" { default_vpc_name = "default" default_vpc_enable_dns_hostnames = true } + diff --git a/examples/manage-default-vpc/outputs.tf b/examples/manage-default-vpc/outputs.tf index f41e2d898..ce193dd8d 100644 --- a/examples/manage-default-vpc/outputs.tf +++ b/examples/manage-default-vpc/outputs.tf @@ -1,10 +1,11 @@ # Default VPC output "default_vpc_id" { description = "The ID of the Default VPC" - value = "${module.vpc.default_vpc_id}" + value = module.vpc.default_vpc_id } output "default_vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${module.vpc.default_vpc_cidr_block}" + value = module.vpc.default_vpc_cidr_block } + diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 0e3f6a29c..c1a1dab90 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -15,8 +15,14 @@ module "vpc" { elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] public_dedicated_network_acl = true - public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" - public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + public_inbound_acl_rules = concat( + local.network_acls["default_inbound"], + local.network_acls["public_inbound"], + ) + public_outbound_acl_rules = concat( + local.network_acls["default_outbound"], + local.network_acls["public_outbound"], + ) private_dedicated_network_acl = true @@ -51,7 +57,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - default_outbound = [ { rule_number = 900 @@ -62,7 +67,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - public_inbound = [ { rule_number = 100 @@ -97,7 +101,6 @@ locals { cidr_block = "0.0.0.0/0" }, ] - public_outbound = [ { rule_number = 100 @@ -134,3 +137,4 @@ locals { ] } } + diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf index 535d5f43e..577d73980 100644 --- a/examples/network-acls/outputs.tf +++ b/examples/network-acls/outputs.tf @@ -1,13 +1,13 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } //output "vpc_ipv6_cidr_block" { @@ -18,37 +18,38 @@ output "vpc_cidr_block" { # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # Network ACLs output "public_network_acl_id" { description = "ID of the public network ACL" - value = "${module.vpc.public_network_acl_id}" + value = module.vpc.public_network_acl_id } output "private_network_acl_id" { description = "ID of the private network ACL" - value = "${module.vpc.private_network_acl_id}" + value = module.vpc.private_network_acl_id } output "elasticache_network_acl_id" { description = "ID of the elasticache network ACL" - value = "${module.vpc.elasticache_network_acl_id}" + value = module.vpc.elasticache_network_acl_id } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = "${module.vpc.default_network_acl_id}" + value = module.vpc.default_network_acl_id } + diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf index e4cc43231..a49b973de 100644 --- a/examples/secondary-cidr-blocks/main.tf +++ b/examples/secondary-cidr-blocks/main.tf @@ -31,3 +31,4 @@ module "vpc" { Name = "vpc-name" } } + diff --git a/examples/secondary-cidr-blocks/outputs.tf b/examples/secondary-cidr-blocks/outputs.tf index 7cc6480d8..c110ed2ab 100644 --- a/examples/secondary-cidr-blocks/outputs.tf +++ b/examples/secondary-cidr-blocks/outputs.tf @@ -1,33 +1,34 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } output "vpc_secondary_cidr_blocks" { description = "List of secondary CIDR blocks of the VPC" - value = ["${module.vpc.vpc_secondary_cidr_blocks}"] + value = module.vpc.vpc_secondary_cidr_blocks } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index decd0b0c5..c0b094835 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -4,7 +4,7 @@ provider "aws" { data "aws_security_group" "default" { name = "default" - vpc_id = "${module.vpc.vpc_id}" + vpc_id = module.vpc.vpc_id } module "vpc" { @@ -36,3 +36,4 @@ module "vpc" { Name = "vpc-name" } } + diff --git a/examples/simple-vpc/outputs.tf b/examples/simple-vpc/outputs.tf index 7ab197f4a..251969ca2 100644 --- a/examples/simple-vpc/outputs.tf +++ b/examples/simple-vpc/outputs.tf @@ -1,13 +1,13 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # CIDR blocks output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = ["${module.vpc.vpc_cidr_block}"] + value = module.vpc.vpc_cidr_block } //output "vpc_ipv6_cidr_block" { @@ -18,22 +18,23 @@ output "vpc_cidr_block" { # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } # AZs output "azs" { description = "A list of availability zones spefified as argument to this module" - value = ["${module.vpc.azs}"] + value = module.vpc.azs } + diff --git a/examples/test_fixture/main.tf b/examples/test_fixture/main.tf index b0eb37ea0..5752aba2e 100644 --- a/examples/test_fixture/main.tf +++ b/examples/test_fixture/main.tf @@ -1,14 +1,15 @@ provider "aws" { - region = "${var.region}" + region = var.region } -data "aws_availability_zones" "available" {} +data "aws_availability_zones" "available" { +} module "vpc" { source = "../.." name = "test-example" cidr = "10.0.0.0/16" - azs = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"] + azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] enable_nat_gateway = true @@ -19,3 +20,4 @@ module "vpc" { Environment = "dev" } } + diff --git a/examples/test_fixture/outputs.tf b/examples/test_fixture/outputs.tf index 4c89ae958..c6ec3716b 100644 --- a/examples/test_fixture/outputs.tf +++ b/examples/test_fixture/outputs.tf @@ -1,4 +1,5 @@ output "region" { description = "Region we created the resources in." - value = "${var.region}" + value = var.region } + diff --git a/examples/test_fixture/variables.tf b/examples/test_fixture/variables.tf index a3986dc92..f8455295f 100644 --- a/examples/test_fixture/variables.tf +++ b/examples/test_fixture/variables.tf @@ -1,3 +1,4 @@ variable "region" { default = "eu-west-1" } + diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf index b380a4065..99d996840 100644 --- a/examples/vpc-separate-private-route-tables/main.tf +++ b/examples/vpc-separate-private-route-tables/main.tf @@ -29,3 +29,4 @@ module "vpc" { Name = "separate-private-route-tables" } } + diff --git a/examples/vpc-separate-private-route-tables/outputs.tf b/examples/vpc-separate-private-route-tables/outputs.tf index 1a4ba6073..fdd5e8d05 100644 --- a/examples/vpc-separate-private-route-tables/outputs.tf +++ b/examples/vpc-separate-private-route-tables/outputs.tf @@ -1,37 +1,38 @@ # VPC output "vpc_id" { description = "The ID of the VPC" - value = "${module.vpc.vpc_id}" + value = module.vpc.vpc_id } # Subnets output "private_subnets" { description = "List of IDs of private subnets" - value = ["${module.vpc.private_subnets}"] + value = module.vpc.private_subnets } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${module.vpc.public_subnets}"] + value = module.vpc.public_subnets } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${module.vpc.database_subnets}"] + value = module.vpc.database_subnets } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.elasticache_subnets}"] + value = module.vpc.elasticache_subnets } output "redshift_subnets" { description = "List of IDs of elasticache subnets" - value = ["${module.vpc.redshift_subnets}"] + value = module.vpc.redshift_subnets } # NAT gateways output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${module.vpc.nat_public_ips}"] + value = module.vpc.nat_public_ips } + diff --git a/main.tf b/main.tf index 86bfccc2a..aa2ae9658 100644 --- a/main.tf +++ b/main.tf @@ -1,91 +1,123 @@ -terraform { - required_version = ">= 0.10.3" # introduction of Local Values configuration language feature -} - locals { - max_subnet_length = "${max(length(var.private_subnets), length(var.elasticache_subnets), length(var.database_subnets), length(var.redshift_subnets))}" - nat_gateway_count = "${var.single_nat_gateway ? 1 : (var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length)}" + max_subnet_length = max( + length(var.private_subnets), + length(var.elasticache_subnets), + length(var.database_subnets), + length(var.redshift_subnets), + ) + nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free! - vpc_id = "${element(concat(aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, aws_vpc.this.*.id, list("")), 0)}" + vpc_id = element( + concat( + aws_vpc_ipv4_cidr_block_association.this.*.vpc_id, + aws_vpc.this.*.id, + [""], + ), + 0, + ) } ###### # VPC ###### resource "aws_vpc" "this" { - count = "${var.create_vpc ? 1 : 0}" + count = var.create_vpc ? 1 : 0 - cidr_block = "${var.cidr}" - instance_tenancy = "${var.instance_tenancy}" - enable_dns_hostnames = "${var.enable_dns_hostnames}" - enable_dns_support = "${var.enable_dns_support}" - assign_generated_ipv6_cidr_block = "${var.assign_generated_ipv6_cidr_block}" + cidr_block = var.cidr + instance_tenancy = var.instance_tenancy + enable_dns_hostnames = var.enable_dns_hostnames + enable_dns_support = var.enable_dns_support + assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpc_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.vpc_tags, + ) } resource "aws_vpc_ipv4_cidr_block_association" "this" { - count = "${var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0}" + count = var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0 - vpc_id = "${aws_vpc.this.id}" + vpc_id = aws_vpc.this[0].id - cidr_block = "${element(var.secondary_cidr_blocks, count.index)}" + cidr_block = element(var.secondary_cidr_blocks, count.index) } ################### # DHCP Options Set ################### resource "aws_vpc_dhcp_options" "this" { - count = "${var.create_vpc && var.enable_dhcp_options ? 1 : 0}" + count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 - domain_name = "${var.dhcp_options_domain_name}" - domain_name_servers = ["${var.dhcp_options_domain_name_servers}"] - ntp_servers = ["${var.dhcp_options_ntp_servers}"] - netbios_name_servers = ["${var.dhcp_options_netbios_name_servers}"] - netbios_node_type = "${var.dhcp_options_netbios_node_type}" + domain_name = var.dhcp_options_domain_name + domain_name_servers = var.dhcp_options_domain_name_servers + ntp_servers = var.dhcp_options_ntp_servers + netbios_name_servers = var.dhcp_options_netbios_name_servers + netbios_node_type = var.dhcp_options_netbios_node_type - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.dhcp_options_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.dhcp_options_tags, + ) } ############################### # DHCP Options Set Association ############################### resource "aws_vpc_dhcp_options_association" "this" { - count = "${var.create_vpc && var.enable_dhcp_options ? 1 : 0}" + count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 - vpc_id = "${local.vpc_id}" - dhcp_options_id = "${aws_vpc_dhcp_options.this.id}" + vpc_id = local.vpc_id + dhcp_options_id = aws_vpc_dhcp_options.this[0].id } ################### # Internet Gateway ################### resource "aws_internet_gateway" "this" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.igw_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.igw_tags, + ) } ################ # Publiс routes ################ resource "aws_route_table" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_route_table_tags)}" + tags = merge( + { + "Name" = format("%s-${var.public_subnet_suffix}", var.name) + }, + var.tags, + var.public_route_table_tags, + ) } resource "aws_route" "public_internet_gateway" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 - route_table_id = "${aws_route_table.public.id}" + route_table_id = aws_route_table.public[0].id destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.this.id}" + gateway_id = aws_internet_gateway.this[0].id timeouts { create = "5m" @@ -97,16 +129,26 @@ resource "aws_route" "public_internet_gateway" { # There are as many routing tables as the number of NAT gateways ################# resource "aws_route_table" "private" { - count = "${var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0}" - - vpc_id = "${local.vpc_id}" - - tags = "${merge(map("Name", (var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index)))), var.tags, var.private_route_table_tags)}" + count = var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 + + vpc_id = local.vpc_id + + tags = merge( + { + "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format( + "%s-${var.private_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.private_route_table_tags, + ) lifecycle { # When attaching VPN gateways it is common to define aws_vpn_gateway_route_propagation # resources that manipulate the attributes of the routing table (typically for the private subnets) - ignore_changes = ["propagating_vgws"] + ignore_changes = [propagating_vgws] } } @@ -114,19 +156,25 @@ resource "aws_route_table" "private" { # Database routes ################# resource "aws_route_table" "database" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.database_route_table_tags, map("Name", "${var.name}-${var.database_subnet_suffix}"))}" + tags = merge( + var.tags, + var.database_route_table_tags, + { + "Name" = "${var.name}-${var.database_subnet_suffix}" + }, + ) } resource "aws_route" "database_internet_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && ! var.create_database_nat_gateway_route ? 1 : 0}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0 - route_table_id = "${aws_route_table.database.id}" + route_table_id = aws_route_table.database[0].id destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.this.id}" + gateway_id = aws_internet_gateway.this[0].id timeouts { create = "5m" @@ -134,10 +182,11 @@ resource "aws_route" "database_internet_gateway" { } resource "aws_route" "database_nat_gateway" { - count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && ! var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0 + + route_table_id = element(aws_route_table.private.*.id, count.index) destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" + nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index) timeouts { create = "5m" @@ -148,157 +197,279 @@ resource "aws_route" "database_nat_gateway" { # Redshift routes ################# resource "aws_route_table" "redshift" { - count = "${var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.redshift_route_table_tags, map("Name", "${var.name}-${var.redshift_subnet_suffix}"))}" + tags = merge( + var.tags, + var.redshift_route_table_tags, + { + "Name" = "${var.name}-${var.redshift_subnet_suffix}" + }, + ) } ################# # Elasticache routes ################# resource "aws_route_table" "elasticache" { - count = "${var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(var.tags, var.elasticache_route_table_tags, map("Name", "${var.name}-${var.elasticache_subnet_suffix}"))}" + tags = merge( + var.tags, + var.elasticache_route_table_tags, + { + "Name" = "${var.name}-${var.elasticache_subnet_suffix}" + }, + ) } ################# # Intra routes ################# resource "aws_route_table" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_id = "${local.vpc_id}" + vpc_id = local.vpc_id - tags = "${merge(map("Name", "${var.name}-${var.intra_subnet_suffix}"), var.tags, var.intra_route_table_tags)}" + tags = merge( + { + "Name" = "${var.name}-${var.intra_subnet_suffix}" + }, + var.tags, + var.intra_route_table_tags, + ) } ################ # Public subnet ################ resource "aws_subnet" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 && (! var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}" - - vpc_id = "${local.vpc_id}" - cidr_block = "${element(concat(var.public_subnets, list("")), count.index)}" - availability_zone = "${element(var.azs, count.index)}" - map_public_ip_on_launch = "${var.map_public_ip_on_launch}" - - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.public_subnet_tags)}" + count = var.create_vpc && length(var.public_subnets) > 0 && false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs) ? length(var.public_subnets) : 0 + + vpc_id = local.vpc_id + cidr_block = element(concat(var.public_subnets, [""]), count.index) + availability_zone = element(var.azs, count.index) + map_public_ip_on_launch = var.map_public_ip_on_launch + + tags = merge( + { + "Name" = format( + "%s-${var.public_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.public_subnet_tags, + ) } ################# # Private subnet ################# resource "aws_subnet" "private" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0}" + count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.private_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.private_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.private_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.private_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.private_subnet_tags, + ) } ################## # Database subnet ################## resource "aws_subnet" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.database_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.database_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.database_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.database_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.database_subnet_tags, + ) } resource "aws_db_subnet_group" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0 - name = "${lower(var.name)}" + name = lower(var.name) description = "Database subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.database.*.id}"] + subnet_ids = aws_subnet.database.*.id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.database_subnet_group_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.database_subnet_group_tags, + ) } ################## # Redshift subnet ################## resource "aws_subnet" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.redshift_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.redshift_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.redshift_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.redshift_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.redshift_subnet_tags, + ) } resource "aws_redshift_subnet_group" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0 - name = "${lower(var.name)}" + name = lower(var.name) description = "Redshift subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.redshift.*.id}"] + subnet_ids = aws_subnet.redshift.*.id - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.redshift_subnet_group_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.redshift_subnet_group_tags, + ) } ##################### # ElastiCache subnet ##################### resource "aws_subnet" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.elasticache_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.elasticache_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.elasticache_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.elasticache_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.elasticache_subnet_tags, + ) } resource "aws_elasticache_subnet_group" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0 - name = "${var.name}" + name = var.name description = "ElastiCache subnet group for ${var.name}" - subnet_ids = ["${aws_subnet.elasticache.*.id}"] + subnet_ids = aws_subnet.elasticache.*.id } ##################################################### # intra subnets - private subnet without NAT gateway ##################################################### resource "aws_subnet" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 - vpc_id = "${local.vpc_id}" - cidr_block = "${var.intra_subnets[count.index]}" - availability_zone = "${element(var.azs, count.index)}" + vpc_id = local.vpc_id + cidr_block = var.intra_subnets[count.index] + availability_zone = element(var.azs, count.index) - tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" + tags = merge( + { + "Name" = format( + "%s-${var.intra_subnet_suffix}-%s", + var.name, + element(var.azs, count.index), + ) + }, + var.tags, + var.intra_subnet_tags, + ) } ####################### # Default Network ACLs ####################### resource "aws_default_network_acl" "this" { - count = "${var.create_vpc && var.manage_default_network_acl ? 1 : 0}" - - default_network_acl_id = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" - - ingress = "${var.default_network_acl_ingress}" - egress = "${var.default_network_acl_egress}" + count = var.create_vpc && var.manage_default_network_acl ? 1 : 0 + + default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0) + + dynamic "ingress" { + for_each = var.default_network_acl_ingress + content { + action = ingress.value.action + cidr_block = lookup(ingress.value, "cidr_block", null) + from_port = ingress.value.from_port + icmp_code = lookup(ingress.value, "icmp_code", null) + icmp_type = lookup(ingress.value, "icmp_type", null) + ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null) + protocol = ingress.value.protocol + rule_no = ingress.value.rule_no + to_port = ingress.value.to_port + } + } + dynamic "egress" { + for_each = var.default_network_acl_egress + content { + action = egress.value.action + cidr_block = lookup(egress.value, "cidr_block", null) + from_port = egress.value.from_port + icmp_code = lookup(egress.value, "icmp_code", null) + icmp_type = lookup(egress.value, "icmp_type", null) + ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null) + protocol = egress.value.protocol + rule_no = egress.value.rule_no + to_port = egress.value.to_port + } + } - tags = "${merge(map("Name", format("%s", var.default_network_acl_name)), var.tags, var.default_network_acl_tags)}" + tags = merge( + { + "Name" = format("%s", var.default_network_acl_name) + }, + var.tags, + var.default_network_acl_tags, + ) lifecycle { - ignore_changes = ["subnet_ids"] + ignore_changes = [subnet_ids] } } @@ -306,240 +477,276 @@ resource "aws_default_network_acl" "this" { # Public Network ACLs ######################## resource "aws_network_acl" "public" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.public.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.public.*.id - tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.public_subnet_suffix}", var.name) + }, + var.tags, + var.public_acl_tags, + ) } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.public.id}" + network_acl_id = aws_network_acl.public[0].id egress = false - rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.public_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_inbound_acl_rules[count.index]["rule_action"] + from_port = var.public_inbound_acl_rules[count.index]["from_port"] + to_port = var.public_inbound_acl_rules[count.index]["to_port"] + protocol = var.public_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.public_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" + count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.public.id}" + network_acl_id = aws_network_acl.public[0].id egress = true - rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.public_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.public_outbound_acl_rules[count.index]["rule_action"] + from_port = var.public_outbound_acl_rules[count.index]["from_port"] + to_port = var.public_outbound_acl_rules[count.index]["to_port"] + protocol = var.public_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.public_outbound_acl_rules[count.index]["cidr_block"] } ####################### # Private Network ACLs ####################### resource "aws_network_acl" "private" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.private.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.private.*.id - tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}", var.name)), var.tags, var.private_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.private_subnet_suffix}", var.name) + }, + var.tags, + var.private_acl_tags, + ) } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.private.id}" + network_acl_id = aws_network_acl.private[0].id egress = false - rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.private_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_inbound_acl_rules[count.index]["rule_action"] + from_port = var.private_inbound_acl_rules[count.index]["from_port"] + to_port = var.private_inbound_acl_rules[count.index]["to_port"] + protocol = var.private_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.private_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" + count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.private.id}" + network_acl_id = aws_network_acl.private[0].id egress = true - rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.private_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.private_outbound_acl_rules[count.index]["rule_action"] + from_port = var.private_outbound_acl_rules[count.index]["from_port"] + to_port = var.private_outbound_acl_rules[count.index]["to_port"] + protocol = var.private_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.private_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Intra Network ACLs ######################## resource "aws_network_acl" "intra" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.intra.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.intra.*.id - tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}", var.name)), var.tags, var.intra_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.intra_subnet_suffix}", var.name) + }, + var.tags, + var.intra_acl_tags, + ) } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.intra.id}" + network_acl_id = aws_network_acl.intra[0].id egress = false - rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"] + from_port = var.intra_inbound_acl_rules[count.index]["from_port"] + to_port = var.intra_inbound_acl_rules[count.index]["to_port"] + protocol = var.intra_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.intra_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" + count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.intra.id}" + network_acl_id = aws_network_acl.intra[0].id egress = true - rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"] + from_port = var.intra_outbound_acl_rules[count.index]["from_port"] + to_port = var.intra_outbound_acl_rules[count.index]["to_port"] + protocol = var.intra_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.intra_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Database Network ACLs ######################## resource "aws_network_acl" "database" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.database.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.database.*.id - tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}", var.name)), var.tags, var.database_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.database_subnet_suffix}", var.name) + }, + var.tags, + var.database_acl_tags, + ) } resource "aws_network_acl_rule" "database_inbound" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.database.id}" + network_acl_id = aws_network_acl.database[0].id egress = false - rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.database_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_inbound_acl_rules[count.index]["rule_action"] + from_port = var.database_inbound_acl_rules[count.index]["from_port"] + to_port = var.database_inbound_acl_rules[count.index]["to_port"] + protocol = var.database_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.database_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "database_outbound" { - count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" + count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.database.id}" + network_acl_id = aws_network_acl.database[0].id egress = true - rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.database_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.database_outbound_acl_rules[count.index]["rule_action"] + from_port = var.database_outbound_acl_rules[count.index]["from_port"] + to_port = var.database_outbound_acl_rules[count.index]["to_port"] + protocol = var.database_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.database_outbound_acl_rules[count.index]["cidr_block"] } ######################## # Redshift Network ACLs ######################## resource "aws_network_acl" "redshift" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.redshift.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.redshift.*.id - tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}", var.name)), var.tags, var.redshift_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.redshift_subnet_suffix}", var.name) + }, + var.tags, + var.redshift_acl_tags, + ) } resource "aws_network_acl_rule" "redshift_inbound" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.redshift.id}" + network_acl_id = aws_network_acl.redshift[0].id egress = false - rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"] + from_port = var.redshift_inbound_acl_rules[count.index]["from_port"] + to_port = var.redshift_inbound_acl_rules[count.index]["to_port"] + protocol = var.redshift_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.redshift_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "redshift_outbound" { - count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" + count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.redshift.id}" + network_acl_id = aws_network_acl.redshift[0].id egress = true - rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"] + from_port = var.redshift_outbound_acl_rules[count.index]["from_port"] + to_port = var.redshift_outbound_acl_rules[count.index]["to_port"] + protocol = var.redshift_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.redshift_outbound_acl_rules[count.index]["cidr_block"] } ########################### # Elasticache Network ACLs ########################### resource "aws_network_acl" "elasticache" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0 - vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" - subnet_ids = ["${aws_subnet.elasticache.*.id}"] + vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0) + subnet_ids = aws_subnet.elasticache.*.id - tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}", var.name)), var.tags, var.elasticache_acl_tags)}" + tags = merge( + { + "Name" = format("%s-${var.elasticache_subnet_suffix}", var.name) + }, + var.tags, + var.elasticache_acl_tags, + ) } resource "aws_network_acl_rule" "elasticache_inbound" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.elasticache.id}" + network_acl_id = aws_network_acl.elasticache[0].id egress = false - rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"] + from_port = var.elasticache_inbound_acl_rules[count.index]["from_port"] + to_port = var.elasticache_inbound_acl_rules[count.index]["to_port"] + protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"] + cidr_block = var.elasticache_inbound_acl_rules[count.index]["cidr_block"] } resource "aws_network_acl_rule" "elasticache_outbound" { - count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" + count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0 - network_acl_id = "${aws_network_acl.elasticache.id}" + network_acl_id = aws_network_acl.elasticache[0].id egress = true - rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}" - rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}" - protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}" - cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}" + rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"] + rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"] + from_port = var.elasticache_outbound_acl_rules[count.index]["from_port"] + to_port = var.elasticache_outbound_acl_rules[count.index]["to_port"] + protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"] + cidr_block = var.elasticache_outbound_acl_rules[count.index]["cidr_block"] } ############## @@ -554,34 +761,63 @@ resource "aws_network_acl_rule" "elasticache_outbound" { # # but then when count of aws_eip.nat.*.id is zero, this would throw a resource not found error on aws_eip.nat.*.id. locals { - nat_gateway_ips = "${split(",", (var.reuse_nat_ips ? join(",", var.external_nat_ip_ids) : join(",", aws_eip.nat.*.id)))}" + nat_gateway_ips = split( + ",", + var.reuse_nat_ips ? join(",", var.external_nat_ip_ids) : join(",", aws_eip.nat.*.id), + ) } resource "aws_eip" "nat" { - count = "${var.create_vpc && (var.enable_nat_gateway && ! var.reuse_nat_ips) ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0 vpc = true - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_eip_tags)}" + tags = merge( + { + "Name" = format( + "%s-%s", + var.name, + element(var.azs, var.single_nat_gateway ? 0 : count.index), + ) + }, + var.tags, + var.nat_eip_tags, + ) } resource "aws_nat_gateway" "this" { - count = "${var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0}" - - allocation_id = "${element(local.nat_gateway_ips, (var.single_nat_gateway ? 0 : count.index))}" - subnet_id = "${element(aws_subnet.public.*.id, (var.single_nat_gateway ? 0 : count.index))}" - - tags = "${merge(map("Name", format("%s-%s", var.name, element(var.azs, (var.single_nat_gateway ? 0 : count.index)))), var.tags, var.nat_gateway_tags)}" - - depends_on = ["aws_internet_gateway.this"] + count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0 + + allocation_id = element( + local.nat_gateway_ips, + var.single_nat_gateway ? 0 : count.index, + ) + subnet_id = element( + aws_subnet.public.*.id, + var.single_nat_gateway ? 0 : count.index, + ) + + tags = merge( + { + "Name" = format( + "%s-%s", + var.name, + element(var.azs, var.single_nat_gateway ? 0 : count.index), + ) + }, + var.tags, + var.nat_gateway_tags, + ) + + depends_on = [aws_internet_gateway.this] } resource "aws_route" "private_nat_gateway" { - count = "${var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0 - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + route_table_id = element(aws_route_table.private.*.id, count.index) destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(aws_nat_gateway.this.*.id, count.index)}" + nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index) timeouts { create = "5m" @@ -592,74 +828,95 @@ resource "aws_route" "private_nat_gateway" { # VPC Endpoint for S3 ###################### data "aws_vpc_endpoint_service" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 service = "s3" } resource "aws_vpc_endpoint" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.s3[0].service_name } resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = element(aws_route_table.private.*.id, count.index) } resource "aws_vpc_endpoint_route_table_association" "intra_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_vpc_endpoint_route_table_association" "public_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${aws_route_table.public.id}" + vpc_endpoint_id = aws_vpc_endpoint.s3[0].id + route_table_id = aws_route_table.public[0].id } ############################ # VPC Endpoint for DynamoDB ############################ data "aws_vpc_endpoint_service" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 service = "dynamodb" } resource "aws_vpc_endpoint" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name } resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = element(aws_route_table.private.*.id, count.index) } resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0 - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${aws_route_table.public.id}" + vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id + route_table_id = aws_route_table.public[0].id +} + +####################### +# VPC Endpoint for SQS +####################### +data "aws_vpc_endpoint_service" "sqs" { + count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 + + service = "sqs" +} + +resource "aws_vpc_endpoint" "sqs" { + count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.sqs[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.sqs_endpoint_security_group_ids + subnet_ids = coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.sqs_endpoint_private_dns_enabled } ####################### @@ -687,168 +944,233 @@ resource "aws_vpc_endpoint" "sqs" { # VPC Endpoint for SSM ####################### data "aws_vpc_endpoint_service" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 service = "ssm" } resource "aws_vpc_endpoint" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ssm[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" + security_group_ids = var.ssm_endpoint_security_group_ids + subnet_ids = coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ssm_endpoint_private_dns_enabled } ############################### # VPC Endpoint for SSMMESSAGES ############################### data "aws_vpc_endpoint_service" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 service = "ssmmessages" } resource "aws_vpc_endpoint" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ssmmessages[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" + security_group_ids = var.ssmmessages_endpoint_security_group_ids + subnet_ids = coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ssmmessages_endpoint_private_dns_enabled } ####################### # VPC Endpoint for EC2 ####################### data "aws_vpc_endpoint_service" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 service = "ec2" } resource "aws_vpc_endpoint" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ec2[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" + security_group_ids = var.ec2_endpoint_security_group_ids + subnet_ids = coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ec2_endpoint_private_dns_enabled } ############################### # VPC Endpoint for EC2MESSAGES ############################### data "aws_vpc_endpoint_service" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 service = "ec2messages" } resource "aws_vpc_endpoint" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ec2messages[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" + security_group_ids = var.ec2messages_endpoint_security_group_ids + subnet_ids = coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled } ########################### # VPC Endpoint for ECR API ########################### data "aws_vpc_endpoint_service" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 service = "ecr.api" } resource "aws_vpc_endpoint" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecr_api[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" + security_group_ids = var.ecr_api_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecr_api_endpoint_private_dns_enabled } ########################### # VPC Endpoint for ECR DKR ########################### data "aws_vpc_endpoint_service" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 service = "ecr.dkr" } resource "aws_vpc_endpoint" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecr_dkr[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" + security_group_ids = var.ecr_dkr_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecr_dkr_endpoint_private_dns_enabled } ####################### # VPC Endpoint for API Gateway ####################### data "aws_vpc_endpoint_service" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 service = "execute-api" } resource "aws_vpc_endpoint" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.apigw[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" + security_group_ids = var.apigw_endpoint_security_group_ids + subnet_ids = coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.apigw_endpoint_private_dns_enabled } ####################### # VPC Endpoint for KMS ####################### data "aws_vpc_endpoint_service" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 service = "kms" } resource "aws_vpc_endpoint" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kms[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kms_endpoint_security_group_ids + subnet_ids = coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kms_endpoint_private_dns_enabled +} + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs[0].service_name vpc_endpoint_type = "Interface" - security_group_ids = ["${var.kms_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" + security_group_ids = var.ecs_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs_agent[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.ecs_agent_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_agent_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ecs_telemetry[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.ecs_telemetry_endpoint_security_group_ids + subnet_ids = coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled } @@ -921,96 +1243,139 @@ resource "aws_vpc_endpoint" "ecs_telemetry" { # Route table association ########################## resource "aws_route_table_association" "private" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0}" + count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 - subnet_id = "${element(aws_subnet.private.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}" + subnet_id = element(aws_subnet.private.*.id, count.index) + route_table_id = element( + aws_route_table.private.*.id, + var.single_nat_gateway ? 0 : count.index, + ) } resource "aws_route_table_association" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0}" + count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 - subnet_id = "${element(aws_subnet.database.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.database.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id), + var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && ! var.enable_public_redshift ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && false == var.enable_public_redshift ? length(var.redshift_subnets) : 0 - subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.redshift.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "redshift_public" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0}" + count = var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0 - subnet_id = "${element(aws_subnet.redshift.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.redshift.*.id, count.index) + route_table_id = element( + coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id), + var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0}" + count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 - subnet_id = "${element(aws_subnet.elasticache.*.id, count.index)}" - route_table_id = "${element(coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index))}" + subnet_id = element(aws_subnet.elasticache.*.id, count.index) + route_table_id = element( + coalescelist( + aws_route_table.elasticache.*.id, + aws_route_table.private.*.id, + ), + var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index, + ) } resource "aws_route_table_association" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}" + count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 - subnet_id = "${element(aws_subnet.intra.*.id, count.index)}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" + subnet_id = element(aws_subnet.intra.*.id, count.index) + route_table_id = element(aws_route_table.intra.*.id, 0) } resource "aws_route_table_association" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0}" + count = var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0 - subnet_id = "${element(aws_subnet.public.*.id, count.index)}" - route_table_id = "${aws_route_table.public.id}" + subnet_id = element(aws_subnet.public.*.id, count.index) + route_table_id = aws_route_table.public[0].id } ############## # VPN Gateway ############## resource "aws_vpn_gateway" "this" { - count = "${var.create_vpc && var.enable_vpn_gateway ? 1 : 0}" + count = var.create_vpc && var.enable_vpn_gateway ? 1 : 0 - vpc_id = "${local.vpc_id}" - amazon_side_asn = "${var.amazon_side_asn}" + vpc_id = local.vpc_id + amazon_side_asn = var.amazon_side_asn - tags = "${merge(map("Name", format("%s", var.name)), var.tags, var.vpn_gateway_tags)}" + tags = merge( + { + "Name" = format("%s", var.name) + }, + var.tags, + var.vpn_gateway_tags, + ) } resource "aws_vpn_gateway_attachment" "this" { - count = "${var.vpn_gateway_id != "" ? 1 : 0}" + count = var.vpn_gateway_id != "" ? 1 : 0 - vpc_id = "${local.vpc_id}" - vpn_gateway_id = "${var.vpn_gateway_id}" + vpc_id = local.vpc_id + vpn_gateway_id = var.vpn_gateway_id } resource "aws_vpn_gateway_route_propagation" "public" { - count = "${var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0}" + count = var.create_vpc && var.propagate_public_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? 1 : 0 - route_table_id = "${element(aws_route_table.public.*.id, count.index)}" - vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}" + route_table_id = element(aws_route_table.public.*.id, count.index) + vpn_gateway_id = element( + concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + ), + count.index, + ) } resource "aws_vpn_gateway_route_propagation" "private" { - count = "${var.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0}" + count = var.create_vpc && var.propagate_private_route_tables_vgw && var.enable_vpn_gateway || var.vpn_gateway_id != "" ? length(var.private_subnets) : 0 - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" - vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}" + route_table_id = element(aws_route_table.private.*.id, count.index) + vpn_gateway_id = element( + concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + ), + count.index, + ) } ########### # Defaults ########### resource "aws_default_vpc" "this" { - count = "${var.manage_default_vpc ? 1 : 0}" + count = var.manage_default_vpc ? 1 : 0 - enable_dns_support = "${var.default_vpc_enable_dns_support}" - enable_dns_hostnames = "${var.default_vpc_enable_dns_hostnames}" - enable_classiclink = "${var.default_vpc_enable_classiclink}" + enable_dns_support = var.default_vpc_enable_dns_support + enable_dns_hostnames = var.default_vpc_enable_dns_hostnames + enable_classiclink = var.default_vpc_enable_classiclink - tags = "${merge(map("Name", format("%s", var.default_vpc_name)), var.tags, var.default_vpc_tags)}" + tags = merge( + { + "Name" = format("%s", var.default_vpc_name) + }, + var.tags, + var.default_vpc_tags, + ) } + diff --git a/outputs.tf b/outputs.tf index fc8a43b9e..ad16b5ecb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,46 +1,46 @@ output "vpc_id" { description = "The ID of the VPC" - value = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + value = concat(aws_vpc.this.*.id, [""])[0] } output "vpc_arn" { description = "The ARN of the VPC" - value = "${element(concat(aws_vpc.this.*.arn, list("")), 0)}" + value = concat(aws_vpc.this.*.arn, [""])[0] } output "vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${element(concat(aws_vpc.this.*.cidr_block, list("")), 0)}" + value = concat(aws_vpc.this.*.cidr_block, [""])[0] } output "default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = "${element(concat(aws_vpc.this.*.default_security_group_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_security_group_id, [""])[0] } output "default_network_acl_id" { description = "The ID of the default network ACL" - value = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_network_acl_id, [""])[0] } output "default_route_table_id" { description = "The ID of the default route table" - value = "${element(concat(aws_vpc.this.*.default_route_table_id, list("")), 0)}" + value = concat(aws_vpc.this.*.default_route_table_id, [""])[0] } output "vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = "${element(concat(aws_vpc.this.*.instance_tenancy, list("")), 0)}" + value = concat(aws_vpc.this.*.instance_tenancy, [""])[0] } output "vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = "${element(concat(aws_vpc.this.*.enable_dns_support, list("")), 0)}" + value = concat(aws_vpc.this.*.enable_dns_support, [""])[0] } output "vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = "${element(concat(aws_vpc.this.*.enable_dns_hostnames, list("")), 0)}" + value = concat(aws_vpc.this.*.enable_dns_hostnames, [""])[0] } //output "vpc_enable_classiclink" { @@ -50,7 +50,7 @@ output "vpc_enable_dns_hostnames" { output "vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = "${element(concat(aws_vpc.this.*.main_route_table_id, list("")), 0)}" + value = concat(aws_vpc.this.*.main_route_table_id, [""])[0] } //output "vpc_ipv6_association_id" { @@ -65,212 +65,216 @@ output "vpc_main_route_table_id" { output "vpc_secondary_cidr_blocks" { description = "List of secondary CIDR blocks of the VPC" - value = ["${aws_vpc_ipv4_cidr_block_association.this.*.cidr_block}"] + value = aws_vpc_ipv4_cidr_block_association.this.*.cidr_block } output "private_subnets" { description = "List of IDs of private subnets" - value = ["${aws_subnet.private.*.id}"] + value = aws_subnet.private.*.id } output "private_subnet_arns" { description = "List of ARNs of private subnets" - value = ["${aws_subnet.private.*.arn}"] + value = aws_subnet.private.*.arn } output "private_subnets_cidr_blocks" { description = "List of cidr_blocks of private subnets" - value = ["${aws_subnet.private.*.cidr_block}"] + value = aws_subnet.private.*.cidr_block } output "public_subnets" { description = "List of IDs of public subnets" - value = ["${aws_subnet.public.*.id}"] + value = aws_subnet.public.*.id } output "public_subnet_arns" { description = "List of ARNs of public subnets" - value = ["${aws_subnet.public.*.arn}"] + value = aws_subnet.public.*.arn } output "public_subnets_cidr_blocks" { description = "List of cidr_blocks of public subnets" - value = ["${aws_subnet.public.*.cidr_block}"] + value = aws_subnet.public.*.cidr_block } output "database_subnets" { description = "List of IDs of database subnets" - value = ["${aws_subnet.database.*.id}"] + value = aws_subnet.database.*.id } output "database_subnet_arns" { description = "List of ARNs of database subnets" - value = ["${aws_subnet.database.*.arn}"] + value = aws_subnet.database.*.arn } output "database_subnets_cidr_blocks" { description = "List of cidr_blocks of database subnets" - value = ["${aws_subnet.database.*.cidr_block}"] + value = aws_subnet.database.*.cidr_block } output "database_subnet_group" { description = "ID of database subnet group" - value = "${element(concat(aws_db_subnet_group.database.*.id, list("")), 0)}" + value = concat(aws_db_subnet_group.database.*.id, [""])[0] } output "redshift_subnets" { description = "List of IDs of redshift subnets" - value = ["${aws_subnet.redshift.*.id}"] + value = aws_subnet.redshift.*.id } output "redshift_subnet_arns" { description = "List of ARNs of redshift subnets" - value = ["${aws_subnet.redshift.*.arn}"] + value = aws_subnet.redshift.*.arn } output "redshift_subnets_cidr_blocks" { description = "List of cidr_blocks of redshift subnets" - value = ["${aws_subnet.redshift.*.cidr_block}"] + value = aws_subnet.redshift.*.cidr_block } output "redshift_subnet_group" { description = "ID of redshift subnet group" - value = "${element(concat(aws_redshift_subnet_group.redshift.*.id, list("")), 0)}" + value = concat(aws_redshift_subnet_group.redshift.*.id, [""])[0] } output "elasticache_subnets" { description = "List of IDs of elasticache subnets" - value = ["${aws_subnet.elasticache.*.id}"] + value = aws_subnet.elasticache.*.id } output "elasticache_subnet_arns" { description = "List of ARNs of elasticache subnets" - value = ["${aws_subnet.elasticache.*.arn}"] + value = aws_subnet.elasticache.*.arn } output "elasticache_subnets_cidr_blocks" { description = "List of cidr_blocks of elasticache subnets" - value = ["${aws_subnet.elasticache.*.cidr_block}"] + value = aws_subnet.elasticache.*.cidr_block } output "intra_subnets" { description = "List of IDs of intra subnets" - value = ["${aws_subnet.intra.*.id}"] + value = aws_subnet.intra.*.id } output "intra_subnet_arns" { description = "List of ARNs of intra subnets" - value = ["${aws_subnet.intra.*.arn}"] + value = aws_subnet.intra.*.arn } output "intra_subnets_cidr_blocks" { description = "List of cidr_blocks of intra subnets" - value = ["${aws_subnet.intra.*.cidr_block}"] + value = aws_subnet.intra.*.cidr_block } output "elasticache_subnet_group" { description = "ID of elasticache subnet group" - value = "${element(concat(aws_elasticache_subnet_group.elasticache.*.id, list("")), 0)}" + value = concat(aws_elasticache_subnet_group.elasticache.*.id, [""])[0] } output "elasticache_subnet_group_name" { description = "Name of elasticache subnet group" - value = "${element(concat(aws_elasticache_subnet_group.elasticache.*.name, list("")), 0)}" + value = concat(aws_elasticache_subnet_group.elasticache.*.name, [""])[0] } output "public_route_table_ids" { description = "List of IDs of public route tables" - value = ["${aws_route_table.public.*.id}"] + value = aws_route_table.public.*.id } output "private_route_table_ids" { description = "List of IDs of private route tables" - value = ["${aws_route_table.private.*.id}"] + value = aws_route_table.private.*.id } output "database_route_table_ids" { description = "List of IDs of database route tables" - value = ["${coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.database.*.id) > 0 ? aws_route_table.database.*.id : aws_route_table.private.*.id } output "redshift_route_table_ids" { description = "List of IDs of redshift route tables" - value = ["${coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.redshift.*.id) > 0 ? aws_route_table.redshift.*.id : aws_route_table.private.*.id } output "elasticache_route_table_ids" { description = "List of IDs of elasticache route tables" - value = ["${coalescelist(aws_route_table.elasticache.*.id, aws_route_table.private.*.id)}"] + value = length(aws_route_table.elasticache.*.id) > 0 ? aws_route_table.elasticache.*.id : aws_route_table.private.*.id } output "intra_route_table_ids" { description = "List of IDs of intra route tables" - value = ["${aws_route_table.intra.*.id}"] + value = aws_route_table.intra.*.id } output "nat_ids" { description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway" - value = ["${aws_eip.nat.*.id}"] + value = aws_eip.nat.*.id } output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" - value = ["${aws_eip.nat.*.public_ip}"] + value = aws_eip.nat.*.public_ip } output "natgw_ids" { description = "List of NAT Gateway IDs" - value = ["${aws_nat_gateway.this.*.id}"] + value = aws_nat_gateway.this.*.id } output "igw_id" { description = "The ID of the Internet Gateway" - value = "${element(concat(aws_internet_gateway.this.*.id, list("")), 0)}" + value = concat(aws_internet_gateway.this.*.id, [""])[0] } output "vgw_id" { description = "The ID of the VPN Gateway" - value = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}" + value = concat( + aws_vpn_gateway.this.*.id, + aws_vpn_gateway_attachment.this.*.vpn_gateway_id, + [""], + )[0] } output "default_vpc_id" { description = "The ID of the VPC" - value = "${element(concat(aws_default_vpc.this.*.id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.id, [""])[0] } output "default_vpc_cidr_block" { description = "The CIDR block of the VPC" - value = "${element(concat(aws_default_vpc.this.*.cidr_block, list("")), 0)}" + value = concat(aws_default_vpc.this.*.cidr_block, [""])[0] } output "default_vpc_default_security_group_id" { description = "The ID of the security group created by default on VPC creation" - value = "${element(concat(aws_default_vpc.this.*.default_security_group_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_security_group_id, [""])[0] } output "default_vpc_default_network_acl_id" { description = "The ID of the default network ACL" - value = "${element(concat(aws_default_vpc.this.*.default_network_acl_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_network_acl_id, [""])[0] } output "default_vpc_default_route_table_id" { description = "The ID of the default route table" - value = "${element(concat(aws_default_vpc.this.*.default_route_table_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.default_route_table_id, [""])[0] } output "default_vpc_instance_tenancy" { description = "Tenancy of instances spin up within VPC" - value = "${element(concat(aws_default_vpc.this.*.instance_tenancy, list("")), 0)}" + value = concat(aws_default_vpc.this.*.instance_tenancy, [""])[0] } output "default_vpc_enable_dns_support" { description = "Whether or not the VPC has DNS support" - value = "${element(concat(aws_default_vpc.this.*.enable_dns_support, list("")), 0)}" + value = concat(aws_default_vpc.this.*.enable_dns_support, [""])[0] } output "default_vpc_enable_dns_hostnames" { description = "Whether or not the VPC has DNS hostname support" - value = "${element(concat(aws_default_vpc.this.*.enable_dns_hostnames, list("")), 0)}" + value = concat(aws_default_vpc.this.*.enable_dns_hostnames, [""])[0] } //output "default_vpc_enable_classiclink" { @@ -280,7 +284,7 @@ output "default_vpc_enable_dns_hostnames" { output "default_vpc_main_route_table_id" { description = "The ID of the main route table associated with this VPC" - value = "${element(concat(aws_default_vpc.this.*.main_route_table_id, list("")), 0)}" + value = concat(aws_default_vpc.this.*.main_route_table_id, [""])[0] } //output "default_vpc_ipv6_association_id" { @@ -295,53 +299,68 @@ output "default_vpc_main_route_table_id" { output "public_network_acl_id" { description = "ID of the public network ACL" - value = "${element(concat(aws_network_acl.public.*.id, list("")), 0)}" + value = concat(aws_network_acl.public.*.id, [""])[0] } output "private_network_acl_id" { description = "ID of the private network ACL" - value = "${element(concat(aws_network_acl.private.*.id, list("")), 0)}" + value = concat(aws_network_acl.private.*.id, [""])[0] } output "intra_network_acl_id" { description = "ID of the intra network ACL" - value = "${element(concat(aws_network_acl.intra.*.id, list("")), 0)}" + value = concat(aws_network_acl.intra.*.id, [""])[0] } output "database_network_acl_id" { description = "ID of the database network ACL" - value = "${element(concat(aws_network_acl.database.*.id, list("")), 0)}" + value = concat(aws_network_acl.database.*.id, [""])[0] } output "redshift_network_acl_id" { description = "ID of the redshift network ACL" - value = "${element(concat(aws_network_acl.redshift.*.id, list("")), 0)}" + value = concat(aws_network_acl.redshift.*.id, [""])[0] } output "elasticache_network_acl_id" { description = "ID of the elasticache network ACL" - value = "${element(concat(aws_network_acl.elasticache.*.id, list("")), 0)}" + value = concat(aws_network_acl.elasticache.*.id, [""])[0] } # VPC Endpoints output "vpc_endpoint_s3_id" { description = "The ID of VPC endpoint for S3" - value = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.s3.*.id, [""])[0] } output "vpc_endpoint_s3_pl_id" { description = "The prefix list for the S3 VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}" + value = concat(aws_vpc_endpoint.s3.*.prefix_list_id, [""])[0] } output "vpc_endpoint_dynamodb_id" { description = "The ID of VPC endpoint for DynamoDB" - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.dynamodb.*.id, [""])[0] } output "vpc_endpoint_dynamodb_pl_id" { description = "The prefix list for the DynamoDB VPC endpoint." - value = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}" + value = concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, [""])[0] +} + +output "vpc_endpoint_sqs_id" { + description = "The ID of VPC endpoint for SQS" + value = concat(aws_vpc_endpoint.sqs.*.id, [""])[0] +} + +output "vpc_endpoint_sqs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SQS." + value = flatten(aws_vpc_endpoint.sqs.*.network_interface_ids) +} + +output "vpc_endpoint_sqs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SQS." + value = flatten(aws_vpc_endpoint.sqs.*.dns_entry) } output "vpc_endpoint_sqs_id" { @@ -361,122 +380,167 @@ output "vpc_endpoint_sqs_dns_entry" { output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" - value = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ssm.*.id, [""])[0] } output "vpc_endpoint_ssm_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSM." - value = "${flatten(aws_vpc_endpoint.ssm.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ssm.*.network_interface_ids) } output "vpc_endpoint_ssm_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSM." - value = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ssm.*.dns_entry) } output "vpc_endpoint_ssmmessages_id" { description = "The ID of VPC endpoint for SSMMESSAGES" - value = "${element(concat(aws_vpc_endpoint.ssmmessages.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ssmmessages.*.id, [""])[0] } output "vpc_endpoint_ssmmessages_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES." - value = "${flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids) } output "vpc_endpoint_ssmmessages_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSMMESSAGES." - value = "${flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry) } output "vpc_endpoint_ec2_id" { description = "The ID of VPC endpoint for EC2" - value = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ec2.*.id, [""])[0] } output "vpc_endpoint_ec2_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for EC2" - value = "${flatten(aws_vpc_endpoint.ec2.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ec2.*.network_interface_ids) } output "vpc_endpoint_ec2_dns_entry" { description = "The DNS entries for the VPC Endpoint for EC2." - value = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ec2.*.dns_entry) } output "vpc_endpoint_ec2messages_id" { description = "The ID of VPC endpoint for EC2MESSAGES" - value = "${element(concat(aws_vpc_endpoint.ec2messages.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ec2messages.*.id, [""])[0] } output "vpc_endpoint_ec2messages_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES" - value = "${flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids) } output "vpc_endpoint_ec2messages_dns_entry" { description = "The DNS entries for the VPC Endpoint for EC2MESSAGES." - value = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ec2messages.*.dns_entry) } output "vpc_endpoint_kms_id" { description = "The ID of VPC endpoint for KMS" - value = "${element(concat(aws_vpc_endpoint.kms.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.kms.*.id, [""])[0] } output "vpc_endpoint_kms_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for KMS." - value = "${flatten(aws_vpc_endpoint.kms.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.kms.*.network_interface_ids) } output "vpc_endpoint_kms_dns_entry" { description = "The DNS entries for the VPC Endpoint for KMS." - value = "${flatten(aws_vpc_endpoint.kms.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.kms.*.dns_entry) } output "vpc_endpoint_ecr_api_id" { description = "The ID of VPC endpoint for ECR API" - value = "${element(concat(aws_vpc_endpoint.ecr_api.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ecr_api.*.id, [""])[0] } output "vpc_endpoint_ecr_api_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for ECR API." - value = "${flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids) } output "vpc_endpoint_ecr_api_dns_entry" { description = "The DNS entries for the VPC Endpoint for ECR API." - value = "${flatten(aws_vpc_endpoint.ecr_api.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ecr_api.*.dns_entry) } output "vpc_endpoint_ecr_dkr_id" { description = "The ID of VPC endpoint for ECR DKR" - value = "${element(concat(aws_vpc_endpoint.ecr_dkr.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.ecr_dkr.*.id, [""])[0] } output "vpc_endpoint_ecr_dkr_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for ECR DKR." - value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids) } output "vpc_endpoint_ecr_dkr_dns_entry" { description = "The DNS entries for the VPC Endpoint for ECR DKR." - value = "${flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry) } output "vpc_endpoint_apigw_id" { description = "The ID of VPC endpoint for APIGW" - value = "${element(concat(aws_vpc_endpoint.apigw.*.id, list("")), 0)}" + value = concat(aws_vpc_endpoint.apigw.*.id, [""])[0] } output "vpc_endpoint_apigw_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for APIGW." - value = "${flatten(aws_vpc_endpoint.apigw.*.network_interface_ids)}" + value = flatten(aws_vpc_endpoint.apigw.*.network_interface_ids) } output "vpc_endpoint_apigw_dns_entry" { description = "The DNS entries for the VPC Endpoint for APIGW." - value = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}" + value = flatten(aws_vpc_endpoint.apigw.*.dns_entry) +} + +output "vpc_endpoint_ecs_id" { + description = "The ID of VPC endpoint for ECS" + value = concat(aws_vpc_endpoint.ecs.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS." + value = flatten(aws_vpc_endpoint.ecs.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS." + value = flatten(aws_vpc_endpoint.ecs.*.dns_entry) +} + +output "vpc_endpoint_ecs_agent_id" { + description = "The ID of VPC endpoint for ECS Agent" + value = concat(aws_vpc_endpoint.ecs_agent.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_agent_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Agent." + value = flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_agent_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Agent." + value = flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry) +} + +output "vpc_endpoint_ecs_telemetry_id" { + description = "The ID of VPC endpoint for ECS Telemetry" + value = concat(aws_vpc_endpoint.ecs_telemetry.*.id, [""])[0] +} + +output "vpc_endpoint_ecs_telemetry_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." + value = flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids) +} + +output "vpc_endpoint_ecs_telemetry_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Telemetry." + value = flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry) } output "vpc_endpoint_ecs_id" { @@ -527,5 +591,6 @@ output "vpc_endpoint_ecs_telemetry_dns_entry" { # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" - value = "${var.azs}" + value = var.azs } + diff --git a/variables.tf b/variables.tf index eb2b4d897..9ea9ac4ba 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,6 @@ variable "create_vpc" { description = "Controls if VPC should be created (it affects almost all resources)" + type = bool default = true } @@ -15,172 +16,225 @@ variable "cidr" { variable "assign_generated_ipv6_cidr_block" { description = "Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block" + type = bool default = false } variable "secondary_cidr_blocks" { description = "List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool" + type = list(string) default = [] } variable "instance_tenancy" { description = "A tenancy option for instances launched into the VPC" + type = string default = "default" } variable "public_subnet_suffix" { description = "Suffix to append to public subnets name" + type = string default = "public" } variable "private_subnet_suffix" { description = "Suffix to append to private subnets name" + type = string default = "private" } variable "intra_subnet_suffix" { description = "Suffix to append to intra subnets name" + type = string default = "intra" } variable "database_subnet_suffix" { description = "Suffix to append to database subnets name" + type = string default = "db" } variable "redshift_subnet_suffix" { description = "Suffix to append to redshift subnets name" + type = string default = "redshift" } variable "elasticache_subnet_suffix" { description = "Suffix to append to elasticache subnets name" + type = string default = "elasticache" } variable "public_subnets" { description = "A list of public subnets inside the VPC" + type = list(string) default = [] } variable "private_subnets" { description = "A list of private subnets inside the VPC" + type = list(string) default = [] } variable "database_subnets" { description = "A list of database subnets" + type = list(string) default = [] } variable "redshift_subnets" { description = "A list of redshift subnets" + type = list(string) default = [] } variable "elasticache_subnets" { description = "A list of elasticache subnets" + type = list(string) default = [] } variable "intra_subnets" { description = "A list of intra subnets" + type = list(string) default = [] } variable "create_database_subnet_route_table" { description = "Controls if separate route table for database should be created" + type = bool default = false } variable "create_redshift_subnet_route_table" { description = "Controls if separate route table for redshift should be created" + type = bool default = false } variable "enable_public_redshift" { description = "Controls if redshift should have public routing table" + type = bool default = false } variable "create_elasticache_subnet_route_table" { description = "Controls if separate route table for elasticache should be created" + type = bool default = false } variable "create_database_subnet_group" { description = "Controls if database subnet group should be created" + type = bool default = true } variable "create_elasticache_subnet_group" { description = "Controls if elasticache subnet group should be created" + type = bool default = true } variable "create_redshift_subnet_group" { description = "Controls if redshift subnet group should be created" + type = bool default = true } variable "create_database_internet_gateway_route" { description = "Controls if an internet gateway route for public database access should be created" + type = bool default = false } variable "create_database_nat_gateway_route" { description = "Controls if a nat gateway route should be created to give internet access to the database subnets" + type = bool default = false } variable "azs" { description = "A list of availability zones in the region" + type = list(string) default = [] } variable "enable_dns_hostnames" { description = "Should be true to enable DNS hostnames in the VPC" + type = bool default = false } variable "enable_dns_support" { description = "Should be true to enable DNS support in the VPC" + type = bool default = true } variable "enable_nat_gateway" { description = "Should be true if you want to provision NAT Gateways for each of your private networks" + type = bool default = false } variable "single_nat_gateway" { description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool default = false } variable "one_nat_gateway_per_az" { description = "Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`." + type = bool default = false } variable "reuse_nat_ips" { description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool default = false } variable "external_nat_ip_ids" { description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" - - default = [] + type = list(string) + default = [] } variable "enable_dynamodb_endpoint" { description = "Should be true if you want to provision a DynamoDB endpoint to the VPC" + type = bool default = false } variable "enable_s3_endpoint" { description = "Should be true if you want to provision an S3 endpoint to the VPC" + type = bool + default = false +} + +variable "enable_sqs_endpoint" { + description = "Should be true if you want to provision an SQS endpoint to the VPC" + default = false +} + +variable "sqs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SQS endpoint" + default = [] +} + +variable "sqs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sqs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint" default = false } @@ -206,161 +260,265 @@ variable "sqs_endpoint_private_dns_enabled" { variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" + type = bool default = false } variable "ssm_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSM endpoint" + type = list(string) default = [] } variable "ssm_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssm_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint" + type = bool default = false } variable "enable_ssmmessages_endpoint" { description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" + type = bool default = false } variable "enable_apigw_endpoint" { description = "Should be true if you want to provision an api gateway endpoint to the VPC" + type = bool default = false } variable "apigw_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for API GW endpoint" + type = list(string) default = [] } variable "apigw_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint" + type = bool default = false } variable "apigw_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssmmessages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" + type = list(string) default = [] } variable "ssmmessages_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ssmmessages_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint" + type = bool default = false } variable "enable_ec2_endpoint" { description = "Should be true if you want to provision an EC2 endpoint to the VPC" + type = bool default = false } variable "ec2_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for EC2 endpoint" + type = list(string) default = [] } variable "ec2_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint" + type = bool default = false } variable "ec2_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "enable_ec2messages_endpoint" { description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC" + type = bool default = false } variable "ec2messages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint" + type = list(string) default = [] } variable "ec2messages_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint" + type = bool default = false } variable "ec2messages_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "enable_ecr_api_endpoint" { description = "Should be true if you want to provision an ecr api endpoint to the VPC" + type = bool default = false } variable "ecr_api_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ecr_api_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" + type = bool default = false } variable "ecr_api_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" + type = list(string) default = [] } variable "enable_ecr_dkr_endpoint" { description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" + type = bool default = false } variable "ecr_dkr_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." + type = list(string) default = [] } variable "ecr_dkr_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" + type = bool default = false } variable "ecr_dkr_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" + type = list(string) default = [] } variable "enable_kms_endpoint" { description = "Should be true if you want to provision a KMS endpoint to the VPC" + type = bool default = false } variable "kms_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for KMS endpoint" + type = list(string) default = [] } variable "kms_endpoint_subnet_ids" { description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) default = [] } variable "kms_endpoint_private_dns_enabled" { description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint" + type = bool + default = false +} + +variable "enable_ecs_endpoint" { + description = "Should be true if you want to provision a ECS endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" + type = list(string) + default = [] +} + +variable "ecs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" + type = bool + default = false +} + +variable "enable_ecs_agent_endpoint" { + description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_agent_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" + type = list(string) + default = [] +} + +variable "ecs_agent_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_agent_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" + type = bool + default = false +} + +variable "enable_ecs_telemetry_endpoint" { + description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" + type = bool + default = false +} + +variable "ecs_telemetry_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" + type = list(string) + default = [] +} + +variable "ecs_telemetry_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ecs_telemetry_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" + type = bool default = false } @@ -426,11 +584,13 @@ variable "ecs_telemetry_endpoint_private_dns_enabled" { variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" + type = bool default = true } variable "enable_vpn_gateway" { description = "Should be true if you want to create a new VPN Gateway resource and attach it to the VPC" + type = bool default = false } @@ -446,267 +606,316 @@ variable "amazon_side_asn" { variable "propagate_private_route_tables_vgw" { description = "Should be true if you want route table propagation" + type = bool default = false } variable "propagate_public_route_tables_vgw" { description = "Should be true if you want route table propagation" + type = bool default = false } variable "tags" { description = "A map of tags to add to all resources" + type = map(string) default = {} } variable "vpc_tags" { description = "Additional tags for the VPC" + type = map(string) default = {} } variable "igw_tags" { description = "Additional tags for the internet gateway" + type = map(string) default = {} } variable "public_subnet_tags" { description = "Additional tags for the public subnets" + type = map(string) default = {} } variable "private_subnet_tags" { description = "Additional tags for the private subnets" + type = map(string) default = {} } variable "public_route_table_tags" { description = "Additional tags for the public route tables" + type = map(string) default = {} } variable "private_route_table_tags" { description = "Additional tags for the private route tables" + type = map(string) default = {} } variable "database_route_table_tags" { description = "Additional tags for the database route tables" + type = map(string) default = {} } variable "redshift_route_table_tags" { description = "Additional tags for the redshift route tables" + type = map(string) default = {} } variable "elasticache_route_table_tags" { description = "Additional tags for the elasticache route tables" + type = map(string) default = {} } variable "intra_route_table_tags" { description = "Additional tags for the intra route tables" + type = map(string) default = {} } variable "database_subnet_tags" { description = "Additional tags for the database subnets" + type = map(string) default = {} } variable "database_subnet_group_tags" { description = "Additional tags for the database subnet group" + type = map(string) default = {} } variable "redshift_subnet_tags" { description = "Additional tags for the redshift subnets" + type = map(string) default = {} } variable "redshift_subnet_group_tags" { description = "Additional tags for the redshift subnet group" + type = map(string) default = {} } variable "elasticache_subnet_tags" { description = "Additional tags for the elasticache subnets" + type = map(string) default = {} } variable "intra_subnet_tags" { description = "Additional tags for the intra subnets" + type = map(string) default = {} } variable "public_acl_tags" { description = "Additional tags for the public subnets network ACL" + type = map(string) default = {} } variable "private_acl_tags" { description = "Additional tags for the private subnets network ACL" + type = map(string) default = {} } variable "intra_acl_tags" { description = "Additional tags for the intra subnets network ACL" + type = map(string) default = {} } variable "database_acl_tags" { description = "Additional tags for the database subnets network ACL" + type = map(string) default = {} } variable "redshift_acl_tags" { description = "Additional tags for the redshift subnets network ACL" + type = map(string) default = {} } variable "elasticache_acl_tags" { description = "Additional tags for the elasticache subnets network ACL" + type = map(string) default = {} } variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set (requires enable_dhcp_options set to true)" + type = map(string) default = {} } variable "nat_gateway_tags" { description = "Additional tags for the NAT gateways" + type = map(string) default = {} } variable "nat_eip_tags" { description = "Additional tags for the NAT EIP" + type = map(string) default = {} } variable "vpn_gateway_tags" { description = "Additional tags for the VPN gateway" + type = map(string) default = {} } variable "enable_dhcp_options" { description = "Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type" + type = bool default = false } variable "dhcp_options_domain_name" { description = "Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true)" + type = string default = "" } variable "dhcp_options_domain_name_servers" { description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true)" - - default = ["AmazonProvidedDNS"] + type = list(string) + default = ["AmazonProvidedDNS"] } variable "dhcp_options_ntp_servers" { description = "Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true)" - - default = [] + type = list(string) + default = [] } variable "dhcp_options_netbios_name_servers" { description = "Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true)" - - default = [] + type = list(string) + default = [] } variable "dhcp_options_netbios_node_type" { description = "Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true)" + type = string default = "" } variable "manage_default_vpc" { description = "Should be true to adopt and manage Default VPC" + type = bool default = false } variable "default_vpc_name" { description = "Name to be used on the Default VPC" + type = string default = "" } variable "default_vpc_enable_dns_support" { description = "Should be true to enable DNS support in the Default VPC" + type = bool default = true } variable "default_vpc_enable_dns_hostnames" { description = "Should be true to enable DNS hostnames in the Default VPC" + type = bool default = false } variable "default_vpc_enable_classiclink" { description = "Should be true to enable ClassicLink in the Default VPC" + type = bool default = false } variable "default_vpc_tags" { description = "Additional tags for the Default VPC" + type = map(string) default = {} } variable "manage_default_network_acl" { description = "Should be true to adopt and manage Default Network ACL" + type = bool default = false } variable "default_network_acl_name" { description = "Name to be used on the Default Network ACL" + type = string default = "" } variable "default_network_acl_tags" { description = "Additional tags for the Default Network ACL" + type = map(string) default = {} } variable "public_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + type = bool default = false } variable "private_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + type = bool default = false } variable "intra_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool default = false } variable "database_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool default = false } variable "redshift_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + type = bool default = false } variable "elasticache_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + type = bool default = false } variable "default_network_acl_ingress" { description = "List of maps of ingress rules to set on the Default Network ACL" + type = list(map(string)) - default = [{ - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" }, { rule_no = 101 @@ -721,14 +930,16 @@ variable "default_network_acl_ingress" { variable "default_network_acl_egress" { description = "List of maps of egress rules to set on the Default Network ACL" + type = list(map(string)) - default = [{ - rule_no = 100 - action = "allow" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_block = "0.0.0.0/0" + default = [ + { + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" }, { rule_no = 101 @@ -743,6 +954,7 @@ variable "default_network_acl_egress" { variable "public_inbound_acl_rules" { description = "Public subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -758,6 +970,7 @@ variable "public_inbound_acl_rules" { variable "public_outbound_acl_rules" { description = "Public subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -773,6 +986,7 @@ variable "public_outbound_acl_rules" { variable "private_inbound_acl_rules" { description = "Private subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -788,6 +1002,7 @@ variable "private_inbound_acl_rules" { variable "private_outbound_acl_rules" { description = "Private subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -803,6 +1018,7 @@ variable "private_outbound_acl_rules" { variable "intra_inbound_acl_rules" { description = "Intra subnets inbound network ACLs" + type = list(map(string)) default = [ { @@ -818,6 +1034,7 @@ variable "intra_inbound_acl_rules" { variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" + type = list(map(string)) default = [ { @@ -833,6 +1050,7 @@ variable "intra_outbound_acl_rules" { variable "database_inbound_acl_rules" { description = "Database subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -848,6 +1066,7 @@ variable "database_inbound_acl_rules" { variable "database_outbound_acl_rules" { description = "Database subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -863,6 +1082,7 @@ variable "database_outbound_acl_rules" { variable "redshift_inbound_acl_rules" { description = "Redshift subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -878,6 +1098,7 @@ variable "redshift_inbound_acl_rules" { variable "redshift_outbound_acl_rules" { description = "Redshift subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -893,6 +1114,7 @@ variable "redshift_outbound_acl_rules" { variable "elasticache_inbound_acl_rules" { description = "Elasticache subnets inbound network ACL rules" + type = list(map(string)) default = [ { @@ -908,6 +1130,7 @@ variable "elasticache_inbound_acl_rules" { variable "elasticache_outbound_acl_rules" { description = "Elasticache subnets outbound network ACL rules" + type = list(map(string)) default = [ { @@ -920,3 +1143,4 @@ variable "elasticache_outbound_acl_rules" { }, ] } +