This is a mirror of the official AWS VPC module from github. (Prevents failed clones happening frequently when using github).
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1163 lines
42KB

  1. locals {
  2. max_subnet_length = max(
  3. length(var.private_subnets),
  4. length(var.elasticache_subnets),
  5. length(var.database_subnets),
  6. length(var.redshift_subnets),
  7. )
  8. nat_gateway_count = var.single_nat_gateway ? 1 : var.one_nat_gateway_per_az ? length(var.azs) : local.max_subnet_length
  9. # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free!
  10. vpc_id = element(
  11. concat(
  12. aws_vpc_ipv4_cidr_block_association.this.*.vpc_id,
  13. aws_vpc.this.*.id,
  14. [""],
  15. ),
  16. 0,
  17. )
  18. vpce_tags = merge(
  19. var.tags,
  20. var.vpc_endpoint_tags,
  21. )
  22. }
  23. ######
  24. # VPC
  25. ######
  26. resource "aws_vpc" "this" {
  27. count = var.create_vpc ? 1 : 0
  28. cidr_block = var.cidr
  29. instance_tenancy = var.instance_tenancy
  30. enable_dns_hostnames = var.enable_dns_hostnames
  31. enable_dns_support = var.enable_dns_support
  32. enable_classiclink = var.enable_classiclink
  33. enable_classiclink_dns_support = var.enable_classiclink_dns_support
  34. assign_generated_ipv6_cidr_block = var.enable_ipv6
  35. tags = merge(
  36. {
  37. "Name" = format("%s", var.name)
  38. },
  39. var.tags,
  40. var.vpc_tags,
  41. )
  42. }
  43. resource "aws_vpc_ipv4_cidr_block_association" "this" {
  44. count = var.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0
  45. vpc_id = aws_vpc.this[0].id
  46. cidr_block = element(var.secondary_cidr_blocks, count.index)
  47. }
  48. resource "aws_default_security_group" "this" {
  49. count = var.create_vpc && var.manage_default_security_group ? 1 : 0
  50. vpc_id = aws_vpc.this[0].id
  51. dynamic "ingress" {
  52. for_each = var.default_security_group_ingress
  53. content {
  54. self = lookup(ingress.value, "self", null)
  55. cidr_blocks = compact(split(",", lookup(ingress.value, "cidr_blocks", "")))
  56. ipv6_cidr_blocks = compact(split(",", lookup(ingress.value, "ipv6_cidr_blocks", "")))
  57. prefix_list_ids = compact(split(",", lookup(ingress.value, "prefix_list_ids", "")))
  58. security_groups = compact(split(",", lookup(ingress.value, "security_groups", "")))
  59. description = lookup(ingress.value, "description", null)
  60. from_port = lookup(ingress.value, "from_port", 0)
  61. to_port = lookup(ingress.value, "to_port", 0)
  62. protocol = lookup(ingress.value, "protocol", "-1")
  63. }
  64. }
  65. dynamic "egress" {
  66. for_each = var.default_security_group_egress
  67. content {
  68. self = lookup(egress.value, "self", null)
  69. cidr_blocks = compact(split(",", lookup(egress.value, "cidr_blocks", "")))
  70. ipv6_cidr_blocks = compact(split(",", lookup(egress.value, "ipv6_cidr_blocks", "")))
  71. prefix_list_ids = compact(split(",", lookup(egress.value, "prefix_list_ids", "")))
  72. security_groups = compact(split(",", lookup(egress.value, "security_groups", "")))
  73. description = lookup(egress.value, "description", null)
  74. from_port = lookup(egress.value, "from_port", 0)
  75. to_port = lookup(egress.value, "to_port", 0)
  76. protocol = lookup(egress.value, "protocol", "-1")
  77. }
  78. }
  79. tags = merge(
  80. {
  81. "Name" = format("%s", var.default_security_group_name)
  82. },
  83. var.tags,
  84. var.default_security_group_tags,
  85. )
  86. }
  87. ###################
  88. # DHCP Options Set
  89. ###################
  90. resource "aws_vpc_dhcp_options" "this" {
  91. count = var.create_vpc && var.enable_dhcp_options ? 1 : 0
  92. domain_name = var.dhcp_options_domain_name
  93. domain_name_servers = var.dhcp_options_domain_name_servers
  94. ntp_servers = var.dhcp_options_ntp_servers
  95. netbios_name_servers = var.dhcp_options_netbios_name_servers
  96. netbios_node_type = var.dhcp_options_netbios_node_type
  97. tags = merge(
  98. {
  99. "Name" = format("%s", var.name)
  100. },
  101. var.tags,
  102. var.dhcp_options_tags,
  103. )
  104. }
  105. ###############################
  106. # DHCP Options Set Association
  107. ###############################
  108. resource "aws_vpc_dhcp_options_association" "this" {
  109. count = var.create_vpc && var.enable_dhcp_options ? 1 : 0
  110. vpc_id = local.vpc_id
  111. dhcp_options_id = aws_vpc_dhcp_options.this[0].id
  112. }
  113. ###################
  114. # Internet Gateway
  115. ###################
  116. resource "aws_internet_gateway" "this" {
  117. count = var.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
  118. vpc_id = local.vpc_id
  119. tags = merge(
  120. {
  121. "Name" = format("%s", var.name)
  122. },
  123. var.tags,
  124. var.igw_tags,
  125. )
  126. }
  127. resource "aws_egress_only_internet_gateway" "this" {
  128. count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0
  129. vpc_id = local.vpc_id
  130. tags = merge(
  131. {
  132. "Name" = format("%s", var.name)
  133. },
  134. var.tags,
  135. var.igw_tags,
  136. )
  137. }
  138. ################
  139. # Publiс routes
  140. ################
  141. resource "aws_route_table" "public" {
  142. count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0
  143. vpc_id = local.vpc_id
  144. tags = merge(
  145. {
  146. "Name" = format("%s-${var.public_subnet_suffix}", var.name)
  147. },
  148. var.tags,
  149. var.public_route_table_tags,
  150. )
  151. }
  152. resource "aws_route" "public_internet_gateway" {
  153. count = var.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0
  154. route_table_id = aws_route_table.public[0].id
  155. destination_cidr_block = "0.0.0.0/0"
  156. gateway_id = aws_internet_gateway.this[0].id
  157. timeouts {
  158. create = "5m"
  159. }
  160. }
  161. resource "aws_route" "public_internet_gateway_ipv6" {
  162. count = var.create_vpc && var.create_igw && var.enable_ipv6 && length(var.public_subnets) > 0 ? 1 : 0
  163. route_table_id = aws_route_table.public[0].id
  164. destination_ipv6_cidr_block = "::/0"
  165. gateway_id = aws_internet_gateway.this[0].id
  166. }
  167. #################
  168. # Private routes
  169. # There are as many routing tables as the number of NAT gateways
  170. #################
  171. resource "aws_route_table" "private" {
  172. count = var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0
  173. vpc_id = local.vpc_id
  174. tags = merge(
  175. {
  176. "Name" = var.single_nat_gateway ? "${var.name}-${var.private_subnet_suffix}" : format(
  177. "%s-${var.private_subnet_suffix}-%s",
  178. var.name,
  179. element(var.azs, count.index),
  180. )
  181. },
  182. var.tags,
  183. var.private_route_table_tags,
  184. )
  185. }
  186. #################
  187. # Database routes
  188. #################
  189. resource "aws_route_table" "database" {
  190. count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? 1 : 0
  191. vpc_id = local.vpc_id
  192. tags = merge(
  193. {
  194. "Name" = "${var.name}-${var.database_subnet_suffix}"
  195. },
  196. var.tags,
  197. var.database_route_table_tags,
  198. )
  199. }
  200. resource "aws_route" "database_internet_gateway" {
  201. count = var.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0
  202. route_table_id = aws_route_table.database[0].id
  203. destination_cidr_block = "0.0.0.0/0"
  204. gateway_id = aws_internet_gateway.this[0].id
  205. timeouts {
  206. create = "5m"
  207. }
  208. }
  209. resource "aws_route" "database_nat_gateway" {
  210. count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0
  211. route_table_id = element(aws_route_table.database.*.id, count.index)
  212. destination_cidr_block = "0.0.0.0/0"
  213. nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index)
  214. timeouts {
  215. create = "5m"
  216. }
  217. }
  218. resource "aws_route" "database_ipv6_egress" {
  219. count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0
  220. route_table_id = aws_route_table.database[0].id
  221. destination_ipv6_cidr_block = "::/0"
  222. egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id
  223. timeouts {
  224. create = "5m"
  225. }
  226. }
  227. #################
  228. # Redshift routes
  229. #################
  230. resource "aws_route_table" "redshift" {
  231. count = var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0
  232. vpc_id = local.vpc_id
  233. tags = merge(
  234. {
  235. "Name" = "${var.name}-${var.redshift_subnet_suffix}"
  236. },
  237. var.tags,
  238. var.redshift_route_table_tags,
  239. )
  240. }
  241. #################
  242. # Elasticache routes
  243. #################
  244. resource "aws_route_table" "elasticache" {
  245. count = var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0
  246. vpc_id = local.vpc_id
  247. tags = merge(
  248. {
  249. "Name" = "${var.name}-${var.elasticache_subnet_suffix}"
  250. },
  251. var.tags,
  252. var.elasticache_route_table_tags,
  253. )
  254. }
  255. #################
  256. # Intra routes
  257. #################
  258. resource "aws_route_table" "intra" {
  259. count = var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0
  260. vpc_id = local.vpc_id
  261. tags = merge(
  262. {
  263. "Name" = "${var.name}-${var.intra_subnet_suffix}"
  264. },
  265. var.tags,
  266. var.intra_route_table_tags,
  267. )
  268. }
  269. ################
  270. # Public subnet
  271. ################
  272. resource "aws_subnet" "public" {
  273. count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0
  274. vpc_id = local.vpc_id
  275. cidr_block = element(concat(var.public_subnets, [""]), count.index)
  276. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  277. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  278. map_public_ip_on_launch = var.map_public_ip_on_launch
  279. assign_ipv6_address_on_creation = var.public_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.public_subnet_assign_ipv6_address_on_creation
  280. ipv6_cidr_block = var.enable_ipv6 && length(var.public_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.public_subnet_ipv6_prefixes[count.index]) : null
  281. tags = merge(
  282. {
  283. "Name" = format(
  284. "%s-${var.public_subnet_suffix}-%s",
  285. var.name,
  286. element(var.azs, count.index),
  287. )
  288. },
  289. var.tags,
  290. var.public_subnet_tags,
  291. )
  292. }
  293. #################
  294. # Private subnet
  295. #################
  296. resource "aws_subnet" "private" {
  297. count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
  298. vpc_id = local.vpc_id
  299. cidr_block = var.private_subnets[count.index]
  300. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  301. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  302. assign_ipv6_address_on_creation = var.private_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.private_subnet_assign_ipv6_address_on_creation
  303. ipv6_cidr_block = var.enable_ipv6 && length(var.private_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) : null
  304. tags = merge(
  305. {
  306. "Name" = format(
  307. "%s-${var.private_subnet_suffix}-%s",
  308. var.name,
  309. element(var.azs, count.index),
  310. )
  311. },
  312. var.tags,
  313. var.private_subnet_tags,
  314. )
  315. }
  316. ##################
  317. # Database subnet
  318. ##################
  319. resource "aws_subnet" "database" {
  320. count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
  321. vpc_id = local.vpc_id
  322. cidr_block = var.database_subnets[count.index]
  323. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  324. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  325. assign_ipv6_address_on_creation = var.database_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.database_subnet_assign_ipv6_address_on_creation
  326. ipv6_cidr_block = var.enable_ipv6 && length(var.database_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.database_subnet_ipv6_prefixes[count.index]) : null
  327. tags = merge(
  328. {
  329. "Name" = format(
  330. "%s-${var.database_subnet_suffix}-%s",
  331. var.name,
  332. element(var.azs, count.index),
  333. )
  334. },
  335. var.tags,
  336. var.database_subnet_tags,
  337. )
  338. }
  339. resource "aws_db_subnet_group" "database" {
  340. count = var.create_vpc && length(var.database_subnets) > 0 && var.create_database_subnet_group ? 1 : 0
  341. name = lower(var.name)
  342. description = "Database subnet group for ${var.name}"
  343. subnet_ids = aws_subnet.database.*.id
  344. tags = merge(
  345. {
  346. "Name" = format("%s", var.name)
  347. },
  348. var.tags,
  349. var.database_subnet_group_tags,
  350. )
  351. }
  352. ##################
  353. # Redshift subnet
  354. ##################
  355. resource "aws_subnet" "redshift" {
  356. count = var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0
  357. vpc_id = local.vpc_id
  358. cidr_block = var.redshift_subnets[count.index]
  359. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  360. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  361. assign_ipv6_address_on_creation = var.redshift_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.redshift_subnet_assign_ipv6_address_on_creation
  362. ipv6_cidr_block = var.enable_ipv6 && length(var.redshift_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.redshift_subnet_ipv6_prefixes[count.index]) : null
  363. tags = merge(
  364. {
  365. "Name" = format(
  366. "%s-${var.redshift_subnet_suffix}-%s",
  367. var.name,
  368. element(var.azs, count.index),
  369. )
  370. },
  371. var.tags,
  372. var.redshift_subnet_tags,
  373. )
  374. }
  375. resource "aws_redshift_subnet_group" "redshift" {
  376. count = var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0
  377. name = lower(var.name)
  378. description = "Redshift subnet group for ${var.name}"
  379. subnet_ids = aws_subnet.redshift.*.id
  380. tags = merge(
  381. {
  382. "Name" = format("%s", var.name)
  383. },
  384. var.tags,
  385. var.redshift_subnet_group_tags,
  386. )
  387. }
  388. #####################
  389. # ElastiCache subnet
  390. #####################
  391. resource "aws_subnet" "elasticache" {
  392. count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0
  393. vpc_id = local.vpc_id
  394. cidr_block = var.elasticache_subnets[count.index]
  395. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  396. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  397. assign_ipv6_address_on_creation = var.elasticache_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.elasticache_subnet_assign_ipv6_address_on_creation
  398. ipv6_cidr_block = var.enable_ipv6 && length(var.elasticache_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.elasticache_subnet_ipv6_prefixes[count.index]) : null
  399. tags = merge(
  400. {
  401. "Name" = format(
  402. "%s-${var.elasticache_subnet_suffix}-%s",
  403. var.name,
  404. element(var.azs, count.index),
  405. )
  406. },
  407. var.tags,
  408. var.elasticache_subnet_tags,
  409. )
  410. }
  411. resource "aws_elasticache_subnet_group" "elasticache" {
  412. count = var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0
  413. name = var.name
  414. description = "ElastiCache subnet group for ${var.name}"
  415. subnet_ids = aws_subnet.elasticache.*.id
  416. }
  417. #####################################################
  418. # intra subnets - private subnet without NAT gateway
  419. #####################################################
  420. resource "aws_subnet" "intra" {
  421. count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0
  422. vpc_id = local.vpc_id
  423. cidr_block = var.intra_subnets[count.index]
  424. availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
  425. availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
  426. assign_ipv6_address_on_creation = var.intra_subnet_assign_ipv6_address_on_creation == null ? var.assign_ipv6_address_on_creation : var.intra_subnet_assign_ipv6_address_on_creation
  427. ipv6_cidr_block = var.enable_ipv6 && length(var.intra_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.intra_subnet_ipv6_prefixes[count.index]) : null
  428. tags = merge(
  429. {
  430. "Name" = format(
  431. "%s-${var.intra_subnet_suffix}-%s",
  432. var.name,
  433. element(var.azs, count.index),
  434. )
  435. },
  436. var.tags,
  437. var.intra_subnet_tags,
  438. )
  439. }
  440. #######################
  441. # Default Network ACLs
  442. #######################
  443. resource "aws_default_network_acl" "this" {
  444. count = var.create_vpc && var.manage_default_network_acl ? 1 : 0
  445. default_network_acl_id = element(concat(aws_vpc.this.*.default_network_acl_id, [""]), 0)
  446. # The value of subnet_ids should be any subnet IDs that are not set as subnet_ids
  447. # for any of the non-default network ACLs
  448. subnet_ids = setsubtract(
  449. compact(flatten([
  450. aws_subnet.public.*.id,
  451. aws_subnet.private.*.id,
  452. aws_subnet.intra.*.id,
  453. aws_subnet.database.*.id,
  454. aws_subnet.redshift.*.id,
  455. aws_subnet.elasticache.*.id,
  456. ])),
  457. compact(flatten([
  458. aws_network_acl.public.*.subnet_ids,
  459. aws_network_acl.private.*.subnet_ids,
  460. aws_network_acl.intra.*.subnet_ids,
  461. aws_network_acl.database.*.subnet_ids,
  462. aws_network_acl.redshift.*.subnet_ids,
  463. aws_network_acl.elasticache.*.subnet_ids,
  464. ]))
  465. )
  466. dynamic "ingress" {
  467. for_each = var.default_network_acl_ingress
  468. content {
  469. action = ingress.value.action
  470. cidr_block = lookup(ingress.value, "cidr_block", null)
  471. from_port = ingress.value.from_port
  472. icmp_code = lookup(ingress.value, "icmp_code", null)
  473. icmp_type = lookup(ingress.value, "icmp_type", null)
  474. ipv6_cidr_block = lookup(ingress.value, "ipv6_cidr_block", null)
  475. protocol = ingress.value.protocol
  476. rule_no = ingress.value.rule_no
  477. to_port = ingress.value.to_port
  478. }
  479. }
  480. dynamic "egress" {
  481. for_each = var.default_network_acl_egress
  482. content {
  483. action = egress.value.action
  484. cidr_block = lookup(egress.value, "cidr_block", null)
  485. from_port = egress.value.from_port
  486. icmp_code = lookup(egress.value, "icmp_code", null)
  487. icmp_type = lookup(egress.value, "icmp_type", null)
  488. ipv6_cidr_block = lookup(egress.value, "ipv6_cidr_block", null)
  489. protocol = egress.value.protocol
  490. rule_no = egress.value.rule_no
  491. to_port = egress.value.to_port
  492. }
  493. }
  494. tags = merge(
  495. {
  496. "Name" = format("%s", var.default_network_acl_name)
  497. },
  498. var.tags,
  499. var.default_network_acl_tags,
  500. )
  501. }
  502. ########################
  503. # Public Network ACLs
  504. ########################
  505. resource "aws_network_acl" "public" {
  506. count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0
  507. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  508. subnet_ids = aws_subnet.public.*.id
  509. tags = merge(
  510. {
  511. "Name" = format("%s-${var.public_subnet_suffix}", var.name)
  512. },
  513. var.tags,
  514. var.public_acl_tags,
  515. )
  516. }
  517. resource "aws_network_acl_rule" "public_inbound" {
  518. count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0
  519. network_acl_id = aws_network_acl.public[0].id
  520. egress = false
  521. rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
  522. rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
  523. from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
  524. to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
  525. icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
  526. icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
  527. protocol = var.public_inbound_acl_rules[count.index]["protocol"]
  528. cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
  529. ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  530. }
  531. resource "aws_network_acl_rule" "public_outbound" {
  532. count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0
  533. network_acl_id = aws_network_acl.public[0].id
  534. egress = true
  535. rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
  536. rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
  537. from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
  538. to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
  539. icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
  540. icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
  541. protocol = var.public_outbound_acl_rules[count.index]["protocol"]
  542. cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
  543. ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  544. }
  545. #######################
  546. # Private Network ACLs
  547. #######################
  548. resource "aws_network_acl" "private" {
  549. count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0
  550. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  551. subnet_ids = aws_subnet.private.*.id
  552. tags = merge(
  553. {
  554. "Name" = format("%s-${var.private_subnet_suffix}", var.name)
  555. },
  556. var.tags,
  557. var.private_acl_tags,
  558. )
  559. }
  560. resource "aws_network_acl_rule" "private_inbound" {
  561. count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0
  562. network_acl_id = aws_network_acl.private[0].id
  563. egress = false
  564. rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
  565. rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
  566. from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
  567. to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
  568. icmp_code = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
  569. icmp_type = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
  570. protocol = var.private_inbound_acl_rules[count.index]["protocol"]
  571. cidr_block = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
  572. ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  573. }
  574. resource "aws_network_acl_rule" "private_outbound" {
  575. count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0
  576. network_acl_id = aws_network_acl.private[0].id
  577. egress = true
  578. rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
  579. rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
  580. from_port = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
  581. to_port = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
  582. icmp_code = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
  583. icmp_type = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
  584. protocol = var.private_outbound_acl_rules[count.index]["protocol"]
  585. cidr_block = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null)
  586. ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  587. }
  588. ########################
  589. # Intra Network ACLs
  590. ########################
  591. resource "aws_network_acl" "intra" {
  592. count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0
  593. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  594. subnet_ids = aws_subnet.intra.*.id
  595. tags = merge(
  596. {
  597. "Name" = format("%s-${var.intra_subnet_suffix}", var.name)
  598. },
  599. var.tags,
  600. var.intra_acl_tags,
  601. )
  602. }
  603. resource "aws_network_acl_rule" "intra_inbound" {
  604. count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0
  605. network_acl_id = aws_network_acl.intra[0].id
  606. egress = false
  607. rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"]
  608. rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"]
  609. from_port = lookup(var.intra_inbound_acl_rules[count.index], "from_port", null)
  610. to_port = lookup(var.intra_inbound_acl_rules[count.index], "to_port", null)
  611. icmp_code = lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", null)
  612. icmp_type = lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", null)
  613. protocol = var.intra_inbound_acl_rules[count.index]["protocol"]
  614. cidr_block = lookup(var.intra_inbound_acl_rules[count.index], "cidr_block", null)
  615. ipv6_cidr_block = lookup(var.intra_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  616. }
  617. resource "aws_network_acl_rule" "intra_outbound" {
  618. count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0
  619. network_acl_id = aws_network_acl.intra[0].id
  620. egress = true
  621. rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"]
  622. rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"]
  623. from_port = lookup(var.intra_outbound_acl_rules[count.index], "from_port", null)
  624. to_port = lookup(var.intra_outbound_acl_rules[count.index], "to_port", null)
  625. icmp_code = lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", null)
  626. icmp_type = lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", null)
  627. protocol = var.intra_outbound_acl_rules[count.index]["protocol"]
  628. cidr_block = lookup(var.intra_outbound_acl_rules[count.index], "cidr_block", null)
  629. ipv6_cidr_block = lookup(var.intra_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  630. }
  631. ########################
  632. # Database Network ACLs
  633. ########################
  634. resource "aws_network_acl" "database" {
  635. count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0
  636. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  637. subnet_ids = aws_subnet.database.*.id
  638. tags = merge(
  639. {
  640. "Name" = format("%s-${var.database_subnet_suffix}", var.name)
  641. },
  642. var.tags,
  643. var.database_acl_tags,
  644. )
  645. }
  646. resource "aws_network_acl_rule" "database_inbound" {
  647. count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0
  648. network_acl_id = aws_network_acl.database[0].id
  649. egress = false
  650. rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
  651. rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
  652. from_port = lookup(var.database_inbound_acl_rules[count.index], "from_port", null)
  653. to_port = lookup(var.database_inbound_acl_rules[count.index], "to_port", null)
  654. icmp_code = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null)
  655. icmp_type = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null)
  656. protocol = var.database_inbound_acl_rules[count.index]["protocol"]
  657. cidr_block = lookup(var.database_inbound_acl_rules[count.index], "cidr_block", null)
  658. ipv6_cidr_block = lookup(var.database_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  659. }
  660. resource "aws_network_acl_rule" "database_outbound" {
  661. count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0
  662. network_acl_id = aws_network_acl.database[0].id
  663. egress = true
  664. rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
  665. rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
  666. from_port = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
  667. to_port = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
  668. icmp_code = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
  669. icmp_type = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
  670. protocol = var.database_outbound_acl_rules[count.index]["protocol"]
  671. cidr_block = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null)
  672. ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  673. }
  674. ########################
  675. # Redshift Network ACLs
  676. ########################
  677. resource "aws_network_acl" "redshift" {
  678. count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0
  679. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  680. subnet_ids = aws_subnet.redshift.*.id
  681. tags = merge(
  682. {
  683. "Name" = format("%s-${var.redshift_subnet_suffix}", var.name)
  684. },
  685. var.tags,
  686. var.redshift_acl_tags,
  687. )
  688. }
  689. resource "aws_network_acl_rule" "redshift_inbound" {
  690. count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0
  691. network_acl_id = aws_network_acl.redshift[0].id
  692. egress = false
  693. rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
  694. rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
  695. from_port = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null)
  696. to_port = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null)
  697. icmp_code = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null)
  698. icmp_type = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null)
  699. protocol = var.redshift_inbound_acl_rules[count.index]["protocol"]
  700. cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block", null)
  701. ipv6_cidr_block = lookup(var.redshift_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  702. }
  703. resource "aws_network_acl_rule" "redshift_outbound" {
  704. count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0
  705. network_acl_id = aws_network_acl.redshift[0].id
  706. egress = true
  707. rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
  708. rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
  709. from_port = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null)
  710. to_port = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null)
  711. icmp_code = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null)
  712. icmp_type = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null)
  713. protocol = var.redshift_outbound_acl_rules[count.index]["protocol"]
  714. cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block", null)
  715. ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  716. }
  717. ###########################
  718. # Elasticache Network ACLs
  719. ###########################
  720. resource "aws_network_acl" "elasticache" {
  721. count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0
  722. vpc_id = element(concat(aws_vpc.this.*.id, [""]), 0)
  723. subnet_ids = aws_subnet.elasticache.*.id
  724. tags = merge(
  725. {
  726. "Name" = format("%s-${var.elasticache_subnet_suffix}", var.name)
  727. },
  728. var.tags,
  729. var.elasticache_acl_tags,
  730. )
  731. }
  732. resource "aws_network_acl_rule" "elasticache_inbound" {
  733. count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0
  734. network_acl_id = aws_network_acl.elasticache[0].id
  735. egress = false
  736. rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
  737. rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
  738. from_port = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null)
  739. to_port = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null)
  740. icmp_code = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null)
  741. icmp_type = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null)
  742. protocol = var.elasticache_inbound_acl_rules[count.index]["protocol"]
  743. cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block", null)
  744. ipv6_cidr_block = lookup(var.elasticache_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
  745. }
  746. resource "aws_network_acl_rule" "elasticache_outbound" {
  747. count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0
  748. network_acl_id = aws_network_acl.elasticache[0].id
  749. egress = true
  750. rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
  751. rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
  752. from_port = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null)
  753. to_port = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null)
  754. icmp_code = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null)
  755. icmp_type = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null)
  756. protocol = var.elasticache_outbound_acl_rules[count.index]["protocol"]
  757. cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block", null)
  758. ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
  759. }
  760. ##############
  761. # NAT Gateway
  762. ##############
  763. # Workaround for interpolation not being able to "short-circuit" the evaluation of the conditional branch that doesn't end up being used
  764. # Source: https://github.com/hashicorp/terraform/issues/11566#issuecomment-289417805
  765. #
  766. # The logical expression would be
  767. #
  768. # nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : aws_eip.nat.*.id
  769. #
  770. # but then when count of aws_eip.nat.*.id is zero, this would throw a resource not found error on aws_eip.nat.*.id.
  771. locals {
  772. nat_gateway_ips = split(
  773. ",",
  774. var.reuse_nat_ips ? join(",", var.external_nat_ip_ids) : join(",", aws_eip.nat.*.id),
  775. )
  776. }
  777. resource "aws_eip" "nat" {
  778. count = var.create_vpc && var.enable_nat_gateway && false == var.reuse_nat_ips ? local.nat_gateway_count : 0
  779. vpc = true
  780. tags = merge(
  781. {
  782. "Name" = format(
  783. "%s-%s",
  784. var.name,
  785. element(var.azs, var.single_nat_gateway ? 0 : count.index),
  786. )
  787. },
  788. var.tags,
  789. var.nat_eip_tags,
  790. )
  791. }
  792. resource "aws_nat_gateway" "this" {
  793. count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0
  794. allocation_id = element(
  795. local.nat_gateway_ips,
  796. var.single_nat_gateway ? 0 : count.index,
  797. )
  798. subnet_id = element(
  799. aws_subnet.public.*.id,
  800. var.single_nat_gateway ? 0 : count.index,
  801. )
  802. tags = merge(
  803. {
  804. "Name" = format(
  805. "%s-%s",
  806. var.name,
  807. element(var.azs, var.single_nat_gateway ? 0 : count.index),
  808. )
  809. },
  810. var.tags,
  811. var.nat_gateway_tags,
  812. )
  813. depends_on = [aws_internet_gateway.this]
  814. }
  815. resource "aws_route" "private_nat_gateway" {
  816. count = var.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0
  817. route_table_id = element(aws_route_table.private.*.id, count.index)
  818. destination_cidr_block = "0.0.0.0/0"
  819. nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index)
  820. timeouts {
  821. create = "5m"
  822. }
  823. }
  824. resource "aws_route" "private_ipv6_egress" {
  825. count = var.create_vpc && var.create_egress_only_igw && var.enable_ipv6 ? length(var.private_subnets) : 0
  826. route_table_id = element(aws_route_table.private.*.id, count.index)
  827. destination_ipv6_cidr_block = "::/0"
  828. egress_only_gateway_id = element(aws_egress_only_internet_gateway.this.*.id, 0)
  829. }
  830. ##########################
  831. # Route table association
  832. ##########################
  833. resource "aws_route_table_association" "private" {
  834. count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0
  835. subnet_id = element(aws_subnet.private.*.id, count.index)
  836. route_table_id = element(
  837. aws_route_table.private.*.id,
  838. var.single_nat_gateway ? 0 : count.index,
  839. )
  840. }
  841. resource "aws_route_table_association" "database" {
  842. count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0
  843. subnet_id = element(aws_subnet.database.*.id, count.index)
  844. route_table_id = element(
  845. coalescelist(aws_route_table.database.*.id, aws_route_table.private.*.id),
  846. var.single_nat_gateway || var.create_database_subnet_route_table ? 0 : count.index,
  847. )
  848. }
  849. resource "aws_route_table_association" "redshift" {
  850. count = var.create_vpc && length(var.redshift_subnets) > 0 && false == var.enable_public_redshift ? length(var.redshift_subnets) : 0
  851. subnet_id = element(aws_subnet.redshift.*.id, count.index)
  852. route_table_id = element(
  853. coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id),
  854. var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
  855. )
  856. }
  857. resource "aws_route_table_association" "redshift_public" {
  858. count = var.create_vpc && length(var.redshift_subnets) > 0 && var.enable_public_redshift ? length(var.redshift_subnets) : 0
  859. subnet_id = element(aws_subnet.redshift.*.id, count.index)
  860. route_table_id = element(
  861. coalescelist(aws_route_table.redshift.*.id, aws_route_table.public.*.id),
  862. var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index,
  863. )
  864. }
  865. resource "aws_route_table_association" "elasticache" {
  866. count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0
  867. subnet_id = element(aws_subnet.elasticache.*.id, count.index)
  868. route_table_id = element(
  869. coalescelist(
  870. aws_route_table.elasticache.*.id,
  871. aws_route_table.private.*.id,
  872. ),
  873. var.single_nat_gateway || var.create_elasticache_subnet_route_table ? 0 : count.index,
  874. )
  875. }
  876. resource "aws_route_table_association" "intra" {
  877. count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0
  878. subnet_id = element(aws_subnet.intra.*.id, count.index)
  879. route_table_id = element(aws_route_table.intra.*.id, 0)
  880. }
  881. resource "aws_route_table_association" "public" {
  882. count = var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_subnets) : 0
  883. subnet_id = element(aws_subnet.public.*.id, count.index)
  884. route_table_id = aws_route_table.public[0].id
  885. }
  886. ####################
  887. # Customer Gateways
  888. ####################
  889. resource "aws_customer_gateway" "this" {
  890. for_each = var.customer_gateways
  891. bgp_asn = each.value["bgp_asn"]
  892. ip_address = each.value["ip_address"]
  893. type = "ipsec.1"
  894. tags = merge(
  895. {
  896. Name = format("%s-%s", var.name, each.key)
  897. },
  898. var.tags,
  899. var.customer_gateway_tags,
  900. )
  901. }
  902. ##############
  903. # VPN Gateway
  904. ##############
  905. resource "aws_vpn_gateway" "this" {
  906. count = var.create_vpc && var.enable_vpn_gateway ? 1 : 0
  907. vpc_id = local.vpc_id
  908. amazon_side_asn = var.amazon_side_asn
  909. availability_zone = var.vpn_gateway_az
  910. tags = merge(
  911. {
  912. "Name" = format("%s", var.name)
  913. },
  914. var.tags,
  915. var.vpn_gateway_tags,
  916. )
  917. }
  918. resource "aws_vpn_gateway_attachment" "this" {
  919. count = var.vpn_gateway_id != "" ? 1 : 0
  920. vpc_id = local.vpc_id
  921. vpn_gateway_id = var.vpn_gateway_id
  922. }
  923. resource "aws_vpn_gateway_route_propagation" "public" {
  924. count = var.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0
  925. route_table_id = element(aws_route_table.public.*.id, count.index)
  926. vpn_gateway_id = element(
  927. concat(
  928. aws_vpn_gateway.this.*.id,
  929. aws_vpn_gateway_attachment.this.*.vpn_gateway_id,
  930. ),
  931. count.index,
  932. )
  933. }
  934. resource "aws_vpn_gateway_route_propagation" "private" {
  935. count = var.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.private_subnets) : 0
  936. route_table_id = element(aws_route_table.private.*.id, count.index)
  937. vpn_gateway_id = element(
  938. concat(
  939. aws_vpn_gateway.this.*.id,
  940. aws_vpn_gateway_attachment.this.*.vpn_gateway_id,
  941. ),
  942. count.index,
  943. )
  944. }
  945. resource "aws_vpn_gateway_route_propagation" "intra" {
  946. count = var.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? length(var.intra_subnets) : 0
  947. route_table_id = element(aws_route_table.intra.*.id, count.index)
  948. vpn_gateway_id = element(
  949. concat(
  950. aws_vpn_gateway.this.*.id,
  951. aws_vpn_gateway_attachment.this.*.vpn_gateway_id,
  952. ),
  953. count.index,
  954. )
  955. }
  956. ###########
  957. # Defaults
  958. ###########
  959. resource "aws_default_vpc" "this" {
  960. count = var.manage_default_vpc ? 1 : 0
  961. enable_dns_support = var.default_vpc_enable_dns_support
  962. enable_dns_hostnames = var.default_vpc_enable_dns_hostnames
  963. enable_classiclink = var.default_vpc_enable_classiclink
  964. tags = merge(
  965. {
  966. "Name" = format("%s", var.default_vpc_name)
  967. },
  968. var.tags,
  969. var.default_vpc_tags,
  970. )
  971. }