Skip to content

Commit

Permalink
Added missing route_table for intra_subnets, and prepare the release
Browse files Browse the repository at this point in the history
  • Loading branch information
antonbabenko committed Jun 4, 2018
1 parent d1a4990 commit 9ced5e9
Show file tree
Hide file tree
Showing 7 changed files with 56 additions and 6 deletions.
12 changes: 10 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,9 +122,15 @@ If `one_nat_gateway_per_az = true` and `single_nat_gateway = false`, then the mo
* The variable `var.azs` **must** be specified.
* The number of public subnet CIDR blocks specified in `public_subnets` **must** be greater than or equal to the number of availability zones specified in `var.azs`. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.

## Private Versus Intra Subnets ##
## "private" versus "intra" subnets

By default, if NAT Gateways are enabled, `private` subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options. If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets), `intra_subnets` are available. An example use case is configuration of Lambda functions within a VPC, where the Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services. Since Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received, it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC. You can add additional tags with `intra_subnet_tags` as with other subnet types.
By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.

If you need private subnets that should have no Internet routing (in the sense of [RFC1918 Category 1 subnets](https://tools.ietf.org/html/rfc1918)), `intra_subnets` should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.

Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received ([read more](https://docs.aws.amazon.com/lambda/latest/dg/vpc.html)), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.

You can add additional tags with `intra_subnet_tags` as with other subnet types.

## Conditional creation

Expand Down Expand Up @@ -186,6 +192,7 @@ Terraform version 0.10.3 or newer is required for this module to work.
| enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `false` | no |
| external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `<list>` | no |
| instance_tenancy | A tenancy option for instances launched into the VPC | string | `default` | no |
| intra_route_table_tags | Additional tags for the intra route tables | string | `<map>` | no |
| intra_subnet_tags | Additional tags for the intra subnets | string | `<map>` | no |
| intra_subnets | A list of intra subnets | list | `<list>` | no |
| manage_default_vpc | Should be true to adopt and manage Default VPC | string | `false` | no |
Expand Down Expand Up @@ -232,6 +239,7 @@ Terraform version 0.10.3 or newer is required for this module to work.
| elasticache_subnets | List of IDs of elasticache subnets |
| elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets |
| igw_id | Internet Gateway |
| intra_route_table_ids | List of IDs of intra route tables |
| intra_subnets | List of IDs of intra subnets |
| intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets |
| nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
Expand Down
4 changes: 2 additions & 2 deletions examples/complete-vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Configuration in this directory creates set of VPC resources which may be sufficient for staging or production environment (look into [simple-vpc](../simple-vpc) for more simplified setup).

There are public, private, database, ElastiCache subnets, intra (private w/o Internet access) subnets, and NAT Gateways created in each availability zone.
There are public, private, database, ElastiCache, intra (private w/o Internet access) subnets, and NAT Gateways created in each availability zone.

## Usage

Expand All @@ -24,11 +24,11 @@ Note that this example may create resources which can cost money (AWS Elastic IP
|------|-------------|
| database_subnets | List of IDs of database subnets |
| elasticache_subnets | List of IDs of elasticache subnets |
| intra_subnets | List of IDs of intra subnets |
| nat_public_ips | NAT gateways |
| private_subnets | Subnets |
| public_subnets | List of IDs of public subnets |
| redshift_subnets | List of IDs of redshift subnets |
| intra_subnets | List of IDs of intra subnets |
| vpc_id | VPC |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
2 changes: 2 additions & 0 deletions examples/complete-vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ module "vpc" {
create_database_subnet_group = false

enable_nat_gateway = true
single_nat_gateway = true

enable_vpn_gateway = true

enable_s3_endpoint = true
Expand Down
5 changes: 5 additions & 0 deletions examples/complete-vpc/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ output "redshift_subnets" {
value = ["${module.vpc.redshift_subnets}"]
}

output "intra_subnets" {
description = "List of IDs of intra subnets"
value = ["${module.vpc.intra_subnets}"]
}

# NAT gateways
output "nat_public_ips" {
description = "List of public Elastic IPs created for AWS NAT Gateway"
Expand Down
29 changes: 27 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,17 @@ resource "aws_route_table" "private" {
}
}

#################
# Intra routes
#################
resource "aws_route_table" "intra" {
count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}"

vpc_id = "${aws_vpc.this.id}"

tags = "${merge(var.tags, var.intra_route_table_tags, map("Name", "${var.name}-intra"))}"
}

################
# Public subnet
################
Expand Down Expand Up @@ -274,6 +285,13 @@ resource "aws_vpc_endpoint_route_table_association" "private_s3" {
route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
}

resource "aws_vpc_endpoint_route_table_association" "intra_s3" {
count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}"

vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}"
route_table_id = "${element(aws_route_table.intra.*.id, 0)}"
}

resource "aws_vpc_endpoint_route_table_association" "public_s3" {
count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}"

Expand Down Expand Up @@ -304,6 +322,13 @@ resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {
route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
}

resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" {
count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}"

vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}"
route_table_id = "${element(aws_route_table.intra.*.id, 0)}"
}

resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}"

Expand Down Expand Up @@ -346,7 +371,7 @@ resource "aws_route_table_association" "intra" {
count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0}"

subnet_id = "${element(aws_subnet.intra.*.id, count.index)}"
route_table_id = "${element(aws_route_table.private.*.id, (var.single_nat_gateway ? 0 : count.index))}"
route_table_id = "${element(aws_route_table.intra.*.id, 0)}"
}

resource "aws_route_table_association" "public" {
Expand Down Expand Up @@ -375,7 +400,7 @@ resource "aws_vpn_gateway_attachment" "this" {
}

resource "aws_vpn_gateway_route_propagation" "public" {
count = "${var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0}"
count = "${var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0}"

route_table_id = "${element(aws_route_table.public.*.id, count.index)}"
vpn_gateway_id = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id), count.index)}"
Expand Down
5 changes: 5 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,11 @@ output "private_route_table_ids" {
value = ["${aws_route_table.private.*.id}"]
}

output "intra_route_table_ids" {
description = "List of IDs of intra route tables"
value = ["${aws_route_table.intra.*.id}"]
}

output "nat_ids" {
description = "List of allocation ID of Elastic IPs created for AWS NAT Gateway"
value = ["${aws_eip.nat.*.id}"]
Expand Down
5 changes: 5 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,11 @@ variable "private_route_table_tags" {
default = {}
}

variable "intra_route_table_tags" {
description = "Additional tags for the intra route tables"
default = {}
}

variable "database_subnet_tags" {
description = "Additional tags for the database subnets"
default = {}
Expand Down

0 comments on commit 9ced5e9

Please sign in to comment.