Movatterモバイル変換

cloudposse/terraform-aws-dynamic-subnetsPublic

NotificationsYou must be signed in to change notification settings
Fork168
Star200

Terraform module for public and private subnets provisioning in existing VPC

cloudposse.com/accelerate

License

Apache-2.0 license

200 stars 168 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 133 Commits
.github		.github
docs		docs
examples		examples
test		test
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
README.yaml		README.yaml
atmos.yaml		atmos.yaml
context.tf		context.tf
main.tf		main.tf
moved.tf		moved.tf
nat-gateway.tf		nat-gateway.tf
nat-instance.tf		nat-instance.tf
outputs-deprecated.tf		outputs-deprecated.tf
outputs.tf		outputs.tf
private.tf		private.tf
public.tf		public.tf
variables-deprecated.tf		variables-deprecated.tf
variables.tf		variables.tf
versions.tf		versions.tf

Repository files navigation

Terraform module to provision public and privatesubnets in an existingVPC

Note: This module is intended for use with an existing VPC and existing Internet Gateway.To create a new VPC, useterraform-aws-vpc module.

Note: Due to Terraformlimitations,many optional inputs to this module are specified as alist(string) that can have zero or one element, rather thanas astring that could be empty ornull. The designation of an input as alist type does not necessarilymean that you can supply more than one value in the list, so check the input's description before supplying more than one value.

The core function of this module is to create 2 sets of subnets, a "public" set with bidirectional access to thepublic internet, and a "private" set behind a firewall with egress-only access to the public internet. Thisincludes dividing up a given CIDR range so that a each subnet gets its owndistinct CIDR range within that range, and then creating those subnets in the appropriate availability zones.The intention is to keep this module relatively simple and easy to use for the most popular use cases.In its default configuration, this module creates 1 public subnet and 1 private subnet in eachof the specified availability zones. The public subnets are configured for bi-directional traffic to thepublic internet, while the private subnets are configured for egress-only traffic to the public internet.Rather than provide a wealth of configuration options allowing for numerous special cases, this moduleprovides some common options and further provides the ability to suppress the creation of resources, allowingyou to create and configure them as you like from outside this module. For example, rather than give you theoption to customize the Network ACL, the module gives you the option to create a completely open one (and controlaccess via Security Groups and other means) or not create one at all, allowing you to create and configure one yourself.

Public subnets

This module defines a public subnet as one that has direct access to an internet gateway and can accept incoming connection requests.In the simplest configuration, the module creates a single route table with a default route targeted to theVPC's internet gateway, and associates all the public subnets with that single route table.

Likewise it creates a single Network ACL with associated rules allowing all ingress and all egress,and associates that ACL with all the public subnets.

Private subnets

A private subnet may be able to initiate traffic to the public internet through a NAT gateway,a NAT instance, or an egress-only internet gateway, or it might only have direct access to otherprivate subnets. In the simple configuration, for IPv4 and/or IPv6 with NAT64 enabled viapublic_dns64_enabledorprivate_dns64_enabled, the module creates 1 NAT Gateway or NAT Instance for eachprivate subnet (in the public subnet in the same availability zone), creates 1 route table for each private subnet,and adds to that route table a default route from the subnet to its NAT Gateway or Instance. For IPv6,the module adds a route to the Egress-Only Internet Gateway configured via input.

As with the Public subnets, the module creates a single Network ACL with associated rules allowing all ingress andall egress, and associates that ACL with all the private subnets.

Customization for special use cases

Various features are controlled bybool inputs with names ending in_enabled. By changing the defaultvalues, you can enable or disable creation of public subnets, private subnets, route tables,NAT gateways, NAT instances, or Network ACLs. So for example, you could use this module to create onlyprivate subnets and the open Network ACL, and then add your own route table associations to the subnetsand route all non-local traffic to a Transit Gateway or VPN.

CIDR allocation

For IPv4, you provide a CIDR and the module divides the address space into the largest CIDRs possible that are stillsmall enough to accommodatemax_subnet_count subnets of each enabled type (public or private). Whenmax_subnet_countis left at the default0, it is set to the total number of availability zones in the region. Private subnetsare allocated out of the first half of the reserved range, and public subnets are allocated out of the second half.

For IPv6, you provide a/56 CIDR and the module assigns/64 subnets of that CIDR in consecutive order startingat zero. (You have the option of specifying a list of CIDRs instead.) As with IPv4, enough CIDRs are allocated tocovermax_subnet_count private and public subnets (when both are enabled, which is the default), with the privatesubnets being allocated out of the lower half of the reservation and the public subnets allocated out of the upper half.

Tip

👽 Use Atmos with Terraform

Cloud Posse usesatmos to easily orchestrate multiple environments using Terraform.
Works withGithub Actions,Atlantis, orSpacelift.

Watch demo of using Atmos with Terraform

Example of runningatmos to manage infrastructure from ourQuick Start tutorial.

Usage

module"subnets" {source="cloudposse/dynamic-subnets/aws"# Cloud Posse recommends pinning every module to a specific version# version = "x.x.x"namespace="eg"stage="prod"name="app"vpc_id="vpc-XXXXXXXX"igw_id=["igw-XXXXXXXX"]ipv4_cidr_block=["10.0.0.0/16"]availability_zones=["us-east-1a","us-east-1b"]}

Create only private subnets, route to transit gateway:

module"private_tgw_subnets" {source="cloudposse/dynamic-subnets/aws"# Cloud Posse recommends pinning every module to a specific version# version = "x.x.x"namespace="eg"stage="prod"name="app"vpc_id="vpc-XXXXXXXX"igw_id=["igw-XXXXXXXX"]ipv4_cidr_block=["10.0.0.0/16"]availability_zones=["us-east-1a","us-east-1b"]nat_gateway_enabled=falsepublic_subnets_enabled=false}resource"aws_route""private" {count=length(module.private_tgw_subnets.private_route_table_ids)route_table_id=module.private_tgw_subnets.private_route_table_ids[count.index]destination_cidr_block="0.0.0.0/0"transit_gateway_id="tgw-XXXXXXXXX"}

Seeexamples for working examples. In particular, seeexamples/naclsfor an example of how to create custom Network Access Control Lists (NACLs) outside ofbut in conjunction with this module.

Important

In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentationand the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact versionyou're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematicapproach for updating versions to avoid unexpected changes.

Requirements

Name	Version
terraform	>= 1.1.0
aws	>= 3.71.0

Providers

Name	Version
aws	>= 3.71.0

Modules

Name	Source	Version
nat_instance_label	cloudposse/label/null	0.25.0
nat_label	cloudposse/label/null	0.25.0
private_label	cloudposse/label/null	0.25.0
public_label	cloudposse/label/null	0.25.0
this	cloudposse/label/null	0.25.0
utils	cloudposse/utils/aws	1.4.0

Resources

Name	Type
aws_eip.default	resource
aws_eip_association.nat_instance	resource
aws_instance.nat_instance	resource
aws_nat_gateway.default	resource
aws_network_acl.private	resource
aws_network_acl.public	resource
aws_network_acl_rule.private4_egress	resource
aws_network_acl_rule.private4_ingress	resource
aws_network_acl_rule.private6_egress	resource
aws_network_acl_rule.private6_ingress	resource
aws_network_acl_rule.public4_egress	resource
aws_network_acl_rule.public4_ingress	resource
aws_network_acl_rule.public6_egress	resource
aws_network_acl_rule.public6_ingress	resource
aws_route.nat4	resource
aws_route.nat_instance	resource
aws_route.private6	resource
aws_route.private_nat64	resource
aws_route.public	resource
aws_route.public6	resource
aws_route.public_nat64	resource
aws_route_table.private	resource
aws_route_table.public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_security_group.nat_instance	resource
aws_security_group_rule.nat_instance_egress	resource
aws_security_group_rule.nat_instance_ingress	resource
aws_subnet.private	resource
aws_subnet.public	resource
aws_ami.nat_instance	data source
aws_availability_zones.default	data source
aws_eip.nat	data source
aws_vpc.default	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional key-value pairs to add to each map in`tags_as_list_of_maps`. Not added to`tags` or`id`. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	`map(string)`	`{}`	no
attributes	ID element. Additional attributes (e.g.`workers` or`cluster`) to add to`id`, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the`delimiter` and treated as a single ID element.	`list(string)`	`[]`	no
availability_zone_attribute_style	The style of Availability Zone code to use in tags and names. One of`full`,`short`, or`fixed`. When using`availability_zone_ids`, IDs will first be translated into AZ names.	`string`	`"short"`	no
availability_zone_ids	List of Availability Zones IDs where subnets will be created. Overrides`availability_zones`. Useful in some regions when using only some AZs and you want to use the same ones across multiple accounts.	`list(string)`	`[]`	no
availability_zones	List of Availability Zones (AZs) where subnets will be created. Ignored when`availability_zone_ids` is set. The order of zones in the listmust be stable or else Terraform will continually make changes. If no AZs are specified, then`max_subnet_count` AZs will be selected in alphabetical order. If`max_subnet_count > 0` and`length(var.availability_zones) > max_subnet_count`, the list will be truncated. We recommend setting`availability_zones` and`max_subnet_count` explicitly as constant (not computed) values for predictability, consistency, and stability.	`list(string)`	`[]`	no
aws_route_create_timeout	DEPRECATED: Use`route_create_timeout` instead. Time to wait for AWS route creation, specified as a Go Duration, e.g.`2m`	`string`	`null`	no
aws_route_delete_timeout	DEPRECATED: Use`route_delete_timeout` instead. Time to wait for AWS route deletion, specified as a Go Duration, e.g.`2m`	`string`	`null`	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as`null` to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	`any`	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
delimiter	Delimiter to be used between ID elements. Defaults to`-` (hyphen). Set to`""` to use no delimiter at all.	`string`	`null`	no
descriptor_formats	Describe additional descriptors to be output in the`descriptors` output map. Map of maps. Keys are names of descriptors. Values are maps of the form `{<br/> format = string<br/> labels = list(string)<br/>}` (Type is`any` so the map values can later be enhanced to provide additional options.) `format` is a Terraform format string to be passed to the`format()` function. `labels` is a list of labels, in order, to pass to`format()` function. Label values will be normalized before being passed to`format()` so they will be identical to how they appear in`id`. Default is`{}` (`descriptors` output will be empty).	`any`	`{}`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
id_length_limit	Limit`id` to this many characters (minimum 6). Set to`0` for unlimited length. Set to`null` for keep the existing setting, which defaults to`0`. Does not affect`id_full`.	`number`	`null`	no
igw_id	The Internet Gateway ID that the public subnets will route traffic to. Used if`public_route_table_enabled` is`true`, ignored otherwise.	`list(string)`	`[]`	no
ipv4_cidr_block	Base IPv4 CIDR block which will be divided into subnet CIDR blocks (e.g.`10.0.0.0/16`). Ignored if`ipv4_cidrs` is set. If no CIDR block is provided, the VPC's default IPv4 CIDR block will be used.	`list(string)`	`[]`	no
ipv4_cidrs	Lists of CIDRs to assign to subnets. Order of CIDRs in the lists must not change over time. Lists may contain more CIDRs than needed.	list(object({ private = list(string) public = list(string) }))	`[]`	no
ipv4_enabled	Set`true` to enable IPv4 addresses in the subnets	`bool`	`true`	no
ipv4_private_instance_hostname_type	How to generate the DNS name for the instances in the private subnets. Either`ip-name` to generate it from the IPv4 address, or `resource-name` to generate it from the instance ID.	`string`	`"ip-name"`	no
ipv4_private_instance_hostnames_enabled	If`true`, DNS queries for instance hostnames in the private subnets will be answered with A (IPv4) records.	`bool`	`false`	no
ipv4_public_instance_hostname_type	How to generate the DNS name for the instances in the public subnets. Either`ip-name` to generate it from the IPv4 address, or `resource-name` to generate it from the instance ID.	`string`	`"ip-name"`	no
ipv4_public_instance_hostnames_enabled	If`true`, DNS queries for instance hostnames in the public subnets will be answered with A (IPv4) records.	`bool`	`false`	no
ipv6_cidr_block	Base IPv6 CIDR block from which`/64` subnet CIDRs will be assigned. Must be`/56`. (e.g.`2600:1f16:c52:ab00::/56`). Ignored if`ipv6_cidrs` is set. If no CIDR block is provided, the VPC's default IPv6 CIDR block will be used.	`list(string)`	`[]`	no
ipv6_cidrs	Lists of CIDRs to assign to subnets. Order of CIDRs in the lists must not change over time. Lists may contain more CIDRs than needed.	list(object({ private = list(string) public = list(string) }))	`[]`	no
ipv6_egress_only_igw_id	The Egress Only Internet Gateway ID the private IPv6 subnets will route traffic to. Used if`private_route_table_enabled` is`true` and`ipv6_enabled` is`true`, ignored otherwise.	`list(string)`	`[]`	no
ipv6_enabled	Set`true` to enable IPv6 addresses in the subnets	`bool`	`false`	no
ipv6_private_instance_hostnames_enabled	If`true` (or if`ipv4_enabled` is`false`), DNS queries for instance hostnames in the private subnets will be answered with AAAA (IPv6) records.	`bool`	`false`	no
ipv6_public_instance_hostnames_enabled	If`true` (or if`ipv4_enabled` is false), DNS queries for instance hostnames in the public subnets will be answered with AAAA (IPv6) records.	`bool`	`false`	no
label_key_case	Controls the letter case of the`tags` keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the`tags` input. Possible values:`lower`,`title`,`upper`. Default value:`title`.	`string`	`null`	no
label_order	The order in which the labels (ID elements) appear in the`id`. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	`list(string)`	`null`	no
label_value_case	Controls the letter case of ID elements (labels) as included in`id`, set as tag values, and output by this module individually. Does not affect values of tags passed in via the`tags` input. Possible values:`lower`,`title`,`upper` and`none` (no transformation). Set this to`title` and set`delimiter` to`""` to yield Pascal Case IDs. Default value:`lower`.	`string`	`null`	no
labels_as_tags	Set of labels (ID elements) to include as tags in the`tags` output. Default is to include all labels. Tags with empty values will not be included in the`tags` output. Set to`[]` to suppress all generated tags. Notes: The value of the`name` tag, if included, will be the`id`, not the`name`. Unlike other`null-label` inputs, the initial setting of`labels_as_tags` cannot be changed in later chained modules. Attempts to change it will be silently ignored.	`set(string)`	[ "default" ]	no
map_public_ip_on_launch	If`true`, instances launched into a public subnet will be assigned a public IPv4 address	`bool`	`true`	no
max_nats	Upper limit on number of NAT Gateways/Instances to create. Set to 1 or 2 for cost savings at the expense of availability.	`number`	`999`	no
max_subnet_count	Sets the maximum number of each type (public or private) of subnet to deploy. `0` will reserve a CIDR for every Availability Zone (excluding Local Zones) in the region, and deploy a subnet in each availability zone specified in`availability_zones` or`availability_zone_ids`, or every zone if none are specified. We recommend setting this equal to the maximum number of AZs you anticipate using, to avoid causing subnets to be destroyed and recreated with smaller IPv4 CIDRs when AWS adds an availability zone. Due to Terraform limitations, you can not set`max_subnet_count` from a computed value, you have to set it from an explicit constant. For most cases,`3` is a good choice.	`number`	`0`	no
metadata_http_endpoint_enabled	Whether the metadata service is available on the created NAT instances	`bool`	`true`	no
metadata_http_put_response_hop_limit	The desired HTTP PUT response hop limit (between 1 and 64) for instance metadata requests on the created NAT instances	`number`	`1`	no
metadata_http_tokens_required	Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2, on the created NAT instances	`bool`	`true`	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a`tag`. The "name" tag is set to the full`id` string. There is no tag with the value of the`name` input.	`string`	`null`	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	`string`	`null`	no
nat_elastic_ips	Existing Elastic IPs (not EIP IDs) to attach to the NAT Gateway(s) or Instance(s) instead of creating new ones.	`list(string)`	`[]`	no
nat_gateway_enabled	Set`true` to create NAT Gateways to perform IPv4 NAT and NAT64 as needed. Defaults to`true` unless`nat_instance_enabled` is`true`.	`bool`	`null`	no
nat_instance_ami_id	A list optionally containing the ID of the AMI to use for the NAT instance. If the list is empty (the default), the latest official AWS NAT instance AMI will be used. NOTE: The Official NAT instance AMI is being phased out and does not support NAT64. Use of a NAT gateway is recommended instead.	`list(string)`	`[]`	no
nat_instance_cpu_credits_override	NAT Instance credit option for CPU usage. Valid values are "standard" or "unlimited". T3 and later instances are launched as unlimited by default. T2 instances are launched as standard by default.	`string`	`""`	no
nat_instance_enabled	Set`true` to create NAT Instances to perform IPv4 NAT. Defaults to`false`.	`bool`	`null`	no
nat_instance_root_block_device_encrypted	Whether to encrypt the root block device on the created NAT instances	`bool`	`true`	no
nat_instance_type	NAT Instance type	`string`	`"t3.micro"`	no
open_network_acl_ipv4_rule_number	The`rule_no` assigned to the network ACL rules for IPv4 traffic generated by this module	`number`	`100`	no
open_network_acl_ipv6_rule_number	The`rule_no` assigned to the network ACL rules for IPv6 traffic generated by this module	`number`	`111`	no
private_assign_ipv6_address_on_creation	If`true`, network interfaces created in a private subnet will be assigned an IPv6 address	`bool`	`true`	no
private_dns64_nat64_enabled	If`true` and IPv6 is enabled, DNS queries made to the Amazon-provided DNS Resolver in private subnets will return synthetic IPv6 addresses for IPv4-only destinations, and these addresses will be routed to the NAT Gateway. Requires`public_subnets_enabled`,`nat_gateway_enabled`, and`private_route_table_enabled` to be`true` to be fully operational. Defaults to`true` unless there is no public IPv4 subnet for egress, in which case it defaults to`false`.	`bool`	`null`	no
private_label	The string to use in IDs and elsewhere to identify resources for the private subnets and distinguish them from resources for the public subnets	`string`	`"private"`	no
private_open_network_acl_enabled	If`true`, a single network ACL be created and it will be associated with every private subnet, and a rule (number 100) will be created allowing all ingress and all egress. You can add additional rules to this network ACL using the`aws_network_acl_rule` resource. If`false`, you will need to manage the network ACL outside of this module.	`bool`	`true`	no
private_route_table_enabled	If`true`, a network route table and default route to the NAT gateway, NAT instance, or egress-only gateway will be created for each private subnet (1:1). If false, you will need to create your own route table(s) and route(s).	`bool`	`true`	no
private_subnets_additional_tags	Additional tags to be added to private subnets	`map(string)`	`{}`	no
private_subnets_enabled	If false, do not create private subnets (or NAT gateways or instances)	`bool`	`true`	no
public_assign_ipv6_address_on_creation	If`true`, network interfaces created in a public subnet will be assigned an IPv6 address	`bool`	`true`	no
public_dns64_nat64_enabled	If`true` and IPv6 is enabled, DNS queries made to the Amazon-provided DNS Resolver in public subnets will return synthetic IPv6 addresses for IPv4-only destinations, and these addresses will be routed to the NAT Gateway. Requires`nat_gateway_enabled` and`public_route_table_enabled` to be`true` to be fully operational.	`bool`	`false`	no
public_label	The string to use in IDs and elsewhere to identify resources for the public subnets and distinguish them from resources for the private subnets	`string`	`"public"`	no
public_open_network_acl_enabled	If`true`, a single network ACL be created and it will be associated with every public subnet, and a rule will be created allowing all ingress and all egress. You can add additional rules to this network ACL using the`aws_network_acl_rule` resource. If`false`, you will need to manage the network ACL outside of this module.	`bool`	`true`	no
public_route_table_enabled	If`true`, network route table(s) will be created as determined by`public_route_table_per_subnet_enabled` and appropriate routes will be added to destinations this module knows about. If`false`, you will need to create your own route table(s) and route(s). Ignored if`public_route_table_ids` is non-empty.	`bool`	`true`	no
public_route_table_ids	List optionally containing the ID of a single route table shared by all public subnets or exactly one route table ID for each public subnet. If provided, it overrides`public_route_table_per_subnet_enabled`. If omitted and`public_route_table_enabled` is`true`, one or more network route tables will be created for the public subnets, according to the setting of`public_route_table_per_subnet_enabled`.	`list(string)`	`[]`	no
public_route_table_per_subnet_enabled	If`true` (and`public_route_table_enabled` is`true`), a separate network route table will be created for and associated with each public subnet. If`false` (and`public_route_table_enabled` is`true`), a single network route table will be created and it will be associated with every public subnet. If not set, it will be set to the value of`public_dns64_nat64_enabled`.	`bool`	`null`	no
public_subnets_additional_tags	Additional tags to be added to public subnets	`map(string)`	`{}`	no
public_subnets_enabled	If false, do not create public subnets. Since NAT gateways and instances must be created in public subnets, these will also not be created when`false`.	`bool`	`true`	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set,`"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
root_block_device_encrypted	DEPRECATED: use`nat_instance_root_block_device_encrypted` instead. Whether to encrypt the root block device on the created NAT instances	`bool`	`null`	no
route_create_timeout	Time to wait for a network routing table entry to be created, specified as a Go Duration, e.g.`2m`. Use`null` for proivder default.	`string`	`null`	no
route_delete_timeout	Time to wait for a network routing table entry to be deleted, specified as a Go Duration, e.g.`2m`. Use`null` for proivder default.	`string`	`null`	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
subnet_create_timeout	Time to wait for a subnet to be created, specified as a Go Duration, e.g.`2m`. Use`null` for proivder default.	`string`	`null`	no
subnet_delete_timeout	Time to wait for a subnet to be deleted, specified as a Go Duration, e.g.`5m`. Use`null` for proivder default.	`string`	`null`	no
subnet_type_tag_key	DEPRECATED: Use`public_subnets_additional_tags` and`private_subnets_additional_tags` instead Key for subnet type tag to provide information about the type of subnets, e.g.`cpco.io/subnet/type: private` or`cpco.io/subnet/type: public`	`string`	`null`	no
subnet_type_tag_value_format	DEPRECATED: Use`public_subnets_additional_tags` and`private_subnets_additional_tags` instead. The value of the`subnet_type_tag_key` will be set to`format(var.subnet_type_tag_value_format, <type>)` where`<type>` is either`public` or`private`.	`string`	`"%s"`	no
subnets_per_az_count	The number of subnet of each type (public or private) to provision per Availability Zone.	`number`	`1`	no
subnets_per_az_names	The subnet names of each type (public or private) to provision per Availability Zone. This variable is optional. If a list of names is provided, the list items will be used as keys in the outputs`named_private_subnets_map`,`named_public_subnets_map`, `named_private_route_table_ids_map` and`named_public_route_table_ids_map`	`list(string)`	[ "common" ]	no
tags	Additional tags (e.g.`{'BusinessUnit': 'XYZ'}`). Neither the tag keys nor the tag values will be modified by this module.	`map(string)`	`{}`	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	`string`	`null`	no
vpc_id	VPC ID where subnets will be created (e.g.`vpc-aceb2723`)	`string`	n/a	yes

Outputs

Name	Description
availability_zone_ids	List of Availability Zones IDs where subnets were created, when available
availability_zones	List of Availability Zones where subnets were created
az_private_route_table_ids_map	Map of AZ names to list of private route table IDs in the AZs
az_private_subnets_map	Map of AZ names to list of private subnet IDs in the AZs
az_public_route_table_ids_map	Map of AZ names to list of public route table IDs in the AZs
az_public_subnets_map	Map of AZ names to list of public subnet IDs in the AZs
named_private_route_table_ids_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of private route table IDs
named_private_subnets_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of private subnet IDs
named_private_subnets_stats_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of objects with each object having three items: AZ, private subnet ID, private route table ID
named_public_route_table_ids_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of public route table IDs
named_public_subnets_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of public subnet IDs
named_public_subnets_stats_map	Map of subnet names (specified in`subnets_per_az_names` variable) to lists of objects with each object having three items: AZ, public subnet ID, public route table ID
nat_eip_allocation_ids	Elastic IP allocations in use by NAT
nat_gateway_ids	IDs of the NAT Gateways created
nat_gateway_public_ips	DEPRECATED: use`nat_ips` instead. Public IPv4 IP addresses in use by NAT.
nat_instance_ami_id	ID of AMI used by NAT instance
nat_instance_ids	IDs of the NAT Instances created
nat_ips	Elastic IP Addresses in use by NAT
private_network_acl_id	ID of the Network ACL created for private subnets
private_route_table_ids	IDs of the created private route tables
private_subnet_arns	ARNs of the created private subnets
private_subnet_cidrs	IPv4 CIDR blocks of the created private subnets
private_subnet_ids	IDs of the created private subnets
private_subnet_ipv6_cidrs	IPv6 CIDR blocks of the created private subnets
public_network_acl_id	ID of the Network ACL created for public subnets
public_route_table_ids	IDs of the created public route tables
public_subnet_arns	ARNs of the created public subnets
public_subnet_cidrs	IPv4 CIDR blocks of the created public subnets
public_subnet_ids	IDs of the created public subnets
public_subnet_ipv6_cidrs	IPv6 CIDR blocks of the created public subnets

Subnet calculation logic

terraform-aws-dynamic-subnets creates a set of subnets based on various CIDR inputs andthe maximum possible number of subnets, which ismax_subnet_count when specified orthe number of Availability Zones in the region whenmax_subnet_count is left atits default value of zero.

You can explicitly provide CIDRs for subnets viaipv4_cidrs andipv6_cidrs inputs if you want,but the usual use case is to provide a single CIDR which this module will subdivide into a setof CIDRs as follows:

Get number of available AZ in the region:

existing_az_count = length(data.aws_availability_zones.available.names)

Determine how many sets of subnets are being created. (Usually it is2:public andprivate):subnet_type_count.
Multiply the results of (1) and (2) to determine how many CIDRs to reserve:

cidr_count = existing_az_count * subnet_type_count

Calculate the number of bits needed to enumerate all the CIDRs:

subnet_bits = ceil(log(cidr_count, 2))

Reserve CIDRs for private subnets usingcidrsubnet:

private_subnet_cidrs = [ for netnumber in range(0, existing_az_count): cidrsubnet(cidr_block, subnet_bits, netnumber) ]

Reserve CIDRs for public subnets in the second half of the CIDR block:

public_subnet_cidrs = [ for netnumber in range(existing_az_count, existing_az_count * 2): cidrsubnet(cidr_block, subnet_bits, netnumber) ]

Note that this means that, for example, in a region with 4 availability zones, if you specify only 3 availability zonesinvar.availability_zones, this module will still reserve CIDRs for the 4th zone. This is so that if you laterwant to expand into that zone, the existing subnet CIDR assignments will not be disturbed. If you do not wantto reserve these CIDRs, setmax_subnet_count to the number of zones you are actually using.

Related Projects

Check out these related projects.

terraform-aws-vpc - Terraform Module that defines a VPC with public/private subnets across multiple AZs with Internet Gateways
terraform-aws-vpc-peering - Terraform module to create a peering connection between two VPCs
terraform-aws-kops-vpc-peering - Terraform module to create a peering connection between a backing services VPC and a VPC created by Kops
terraform-aws-named-subnets - Terraform module for named subnets provisioning.

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-goterraform architecture blueprints for AWS to get up and running quickly.

✅ We build it together with your team.
✅ Your team owns everything.
✅ 100% Open Source and backed by fanatical support.

📚Learn More

Cloud Posse is the leadingDevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Day-2: Your Operational Mastery

Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use theissue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Review ourCode of Conduct andContributor Guidelines.
Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit aPull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Running Terraform Tests

We useAtmos to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.

All tests are located in thetest/ folder.

Under the hood, tests are powered by Terratest together with our internalTest Helpers library, providing robust infrastructure validation.

Setup dependencies:

Install Atmos (installation guide)
Install Go1.24+ or newer
Install Terraform or OpenTofu

To run tests:

Run all tests:
```
atmostest run
```
Clean up test artifacts:
```
atmostest clean
```
Explore additional test options:
```
atmostest --help
```

The configuration for test commands is centrally managed. To review what's being imported, see theatmos.yaml file.

Learn more about ourautomated testing in our documentation or implementingcustom commands with atmos.

🌎 Slack Community

Join ourOpen Source Community on Slack. It'sFREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totallysweet infrastructure.

📰 Newsletter

Sign up forour newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus alive Q&A that you can’t find anywhere else.It'sFREE for everyone!

License

Preamble to the Apache License, Version 2.0

Complete license is available in theLICENSE file.

Licensed to the Apache Software Foundation (ASF) under oneor more contributor license agreements.  See the NOTICE filedistributed with this work for additional informationregarding copyright ownership.  The ASF licenses this fileto you under the Apache License, Version 2.0 (the"License"); you may not use this file except in compliancewith the License.  You may obtain a copy of the License at  https://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing,software distributed under the License is distributed on an"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANYKIND, either express or implied.  See the License for thespecific language governing permissions and limitationsunder the License.