Terraform module which creates VPC resources on AWS.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = true
tags = {
Terraform = "true"
Environment = "dev"
}
}By default this module will provision new Elastic IPs for the VPC's NAT Gateways. This means that when creating a new VPC, new IPs are allocated, and when that VPC is destroyed those IPs are released. Sometimes it is handy to keep the same IPs even after the VPC is destroyed and re-created. To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs.
To achieve this, allocate the IPs outside the VPC module declaration.
resource "aws_eip" "nat" {
count = 3
vpc = true
}Then, pass the allocated IPs as a parameter to this module.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
# The rest of arguments are omitted for brevity
enable_nat_gateway = true
single_nat_gateway = false
reuse_nat_ips = true # <= Skip creation of EIPs for the NAT Gateways
external_nat_ip_ids = "${aws_eip.nat.*.id}" # <= IPs specified here as input to the module
}Note that in the example we allocate 3 IPs because we will be provisioning 3 NAT Gateways (due to single_nat_gateway = false and having 3 subnets).
If, on the other hand, single_nat_gateway = true, then aws_eip.nat would only need to allocate 1 IP.
Passing the IPs into the module is done by setting two variables reuse_nat_ips = true and external_nat_ip_ids = "${aws_eip.nat.*.id}".
This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections.
- One NAT Gateway per subnet (default behavior)
enable_nat_gateway = truesingle_nat_gateway = falseone_nat_gateway_per_az = false
- Single NAT Gateway
enable_nat_gateway = truesingle_nat_gateway = trueone_nat_gateway_per_az = false
- One NAT Gateway per availability zone
enable_nat_gateway = truesingle_nat_gateway = falseone_nat_gateway_per_az = true
If both single_nat_gateway and one_nat_gateway_per_az are set to true, then single_nat_gateway takes precedence.
By default, the module will determine the number of NAT Gateways to create based on the the max() of the private subnet lists (database_subnets, elasticache_subnets, private_subnets, and redshift_subnets). The module does not take into account the number of intra_subnets, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following:
database_subnets = ["10.0.21.0/24", "10.0.22.0/24"]
elasticache_subnets = ["10.0.31.0/24", "10.0.32.0/24"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
redshift_subnets = ["10.0.41.0/24", "10.0.42.0/24"]
intra_subnets = ["10.0.51.0/24", "10.0.52.0/24", "10.0.53.0/24"]Then 5 NAT Gateways will be created since 5 private subnet CIDR blocks were specified.
If single_nat_gateway = true, then all private subnets will route their Internet traffic through this single NAT gateway. The NAT gateway will be placed in the first public subnet in your public_subnets block.
If one_nat_gateway_per_az = true and single_nat_gateway = false, then the module will place one NAT gateway in each availability zone you specify in var.azs. There are some requirements around using this feature flag:
- The variable
var.azsmust be specified. - The number of public subnet CIDR blocks specified in
public_subnetsmust be greater than or equal to the number of availability zones specified invar.azs. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to.
By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.
If you need private subnets that should have no Internet routing (in the sense of RFC1918 Category 1 subnets), intra_subnets should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.
Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received (read more), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.
You can add additional tags with intra_subnet_tags as with other subnet types.
VPC Flow Log allows to capture IP traffic for a specific network interface (ENI), subnet, or entire VPC. This module supports enabling or disabling VPC Flow Logs for entire VPC. If you need to have VPC Flow Logs for subnet or ENI, you have to manage it outside of this module with aws_flow_log resource.
By default file_format is plain-text. You can also specify parquet to have logs written in Apache Parquet format.
flow_log_file_format = "parquet"
If your organization requires a permissions boundary to be attached to the VPC Flow Log role, make sure that you specify an ARN of the permissions boundary policy as vpc_flow_log_permissions_boundary argument. Read more about required IAM policy for publishing flow logs.
This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (manage_default_network_acl = true).
Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set public_dedicated_network_acl = true to use dedicated network ACL for the public subnets; set values of public_inbound_acl_rules and public_outbound_acl_rules to specify all the NACL rules you need to have on public subnets (see variables.tf for default values and structures).
By default, all subnets are associated with the default network ACL.
Sometimes it is handy to have public access to Redshift clusters (for example if you need to access it by Kinesis - VPC endpoint for Kinesis is not yet supported by Redshift) by specifying these arguments:
enable_public_redshift = true # <= By default Redshift subnets will be associated with the private route tableIt is possible to integrate this VPC module with terraform-aws-transit-gateway module which handles the creation of TGW resources and VPC attachments. See complete example there.
- Simple VPC
- Simple VPC with secondary CIDR blocks
- Complete VPC with VPC Endpoints.
- VPC with IPv6 enabled
- Network ACL
- VPC Flow Logs
- VPC with Outpost
- Manage Default VPC
- Few tests and edge case examples
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 3.63 |
| Name | Version |
|---|---|
| aws | >= 3.63 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| amazon_side_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | string |
"64512" |
no |
| assign_ipv6_address_on_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
false |
no |
| azs | A list of availability zones names or ids in the region | list(string) |
[] |
no |
| cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string |
"0.0.0.0/0" |
no |
| create_database_nat_gateway_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool |
false |
no |
| create_database_subnet_group | Controls if database subnet group should be created (n.b. database_subnets must also be set) | bool |
true |
no |
| create_database_subnet_route_table | Controls if separate route table for database should be created | bool |
false |
no |
| create_egress_only_igw | Controls if an Egress Only Internet Gateway is created and its related routes. | bool |
true |
no |
| create_elasticache_subnet_group | Controls if elasticache subnet group should be created | bool |
true |
no |
| create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created | bool |
false |
no |
| create_flow_log_cloudwatch_iam_role | Whether to create IAM role for VPC Flow Logs | bool |
false |
no |
| create_flow_log_cloudwatch_log_group | Whether to create CloudWatch log group for VPC Flow Logs | bool |
false |
no |
| create_igw | Controls if an Internet Gateway is created for public subnets and the related routes that connect them. | bool |
true |
no |
| create_redshift_subnet_group | Controls if redshift subnet group should be created | bool |
true |
no |
| create_redshift_subnet_route_table | Controls if separate route table for redshift should be created | bool |
false |
no |
| customer_gateway_tags | Additional tags for the Customer Gateway | map(string) |
{} |
no |
| customer_gateways | Maps of Customer Gateway's attributes (BGP ASN and Gateway's Internet-routable external IP address) | map(map(any)) |
{} |
no |
| database_acl_tags | Additional tags for the database subnets network ACL | map(string) |
{} |
no |
| database_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | bool |
false |
no |
| database_inbound_acl_rules | Database subnets inbound network ACL rules | list(map(string)) |
[ |
no |
| database_outbound_acl_rules | Database subnets outbound network ACL rules | list(map(string)) |
[ |
no |
| database_route_table_tags | Additional tags for the database route tables | map(string) |
{} |
no |
| database_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on database subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| database_subnet_group_name | Name of database subnet group | string |
null |
no |
| database_subnet_group_tags | Additional tags for the database subnet group | map(string) |
{} |
no |
| database_subnet_ipv6_prefixes | Assigns IPv6 database subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| database_subnet_suffix | Suffix to append to database subnets name | string |
"db" |
no |
| database_subnet_tags | Additional tags for the database subnets | map(string) |
{} |
no |
| database_subnets | A list of database subnets | list(string) |
[] |
no |
| default_network_acl_egress | List of maps of egress rules to set on the Default Network ACL | list(map(string)) |
[ |
no |
| default_network_acl_ingress | List of maps of ingress rules to set on the Default Network ACL | list(map(string)) |
[ |
no |
| default_network_acl_name | Name to be used on the Default Network ACL | string |
"" |
no |
| default_network_acl_tags | Additional tags for the Default Network ACL | map(string) |
{} |
no |
| default_route_table_propagating_vgws | List of virtual gateways for propagation | list(string) |
[] |
no |
| default_route_table_routes | Configuration block of routes. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table#route | list(map(string)) |
[] |
no |
| default_route_table_tags | Additional tags for the default route table | map(string) |
{} |
no |
| default_security_group_egress | List of maps of egress rules to set on the default security group | list(map(string)) |
null |
no |
| default_security_group_ingress | List of maps of ingress rules to set on the default security group | list(map(string)) |
null |
no |
| default_security_group_name | Name to be used on the default security group | string |
"default" |
no |
| default_security_group_tags | Additional tags for the default security group | map(string) |
{} |
no |
| default_vpc_enable_classiclink | Should be true to enable ClassicLink in the Default VPC | bool |
false |
no |
| default_vpc_enable_dns_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool |
false |
no |
| default_vpc_enable_dns_support | Should be true to enable DNS support in the Default VPC | bool |
true |
no |
| default_vpc_name | Name to be used on the Default VPC | string |
"" |
no |
| default_vpc_tags | Additional tags for the Default VPC | map(string) |
{} |
no |
| dhcp_options_domain_name | Specifies DNS name for DHCP options set (requires enable_dhcp_options set to true) | string |
"" |
no |
| dhcp_options_domain_name_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided (requires enable_dhcp_options set to true) | list(string) |
[ |
no |
| dhcp_options_netbios_name_servers | Specify a list of netbios servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) |
[] |
no |
| dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set (requires enable_dhcp_options set to true) | string |
"" |
no |
| dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set (requires enable_dhcp_options set to true) | list(string) |
[] |
no |
| dhcp_options_tags | Additional tags for the DHCP option set (requires enable_dhcp_options set to true) | map(string) |
{} |
no |
| elasticache_acl_tags | Additional tags for the elasticache subnets network ACL | map(string) |
{} |
no |
| elasticache_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool |
false |
no |
| elasticache_inbound_acl_rules | Elasticache subnets inbound network ACL rules | list(map(string)) |
[ |
no |
| elasticache_outbound_acl_rules | Elasticache subnets outbound network ACL rules | list(map(string)) |
[ |
no |
| elasticache_route_table_tags | Additional tags for the elasticache route tables | map(string) |
{} |
no |
| elasticache_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on elasticache subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| elasticache_subnet_group_name | Name of elasticache subnet group | string |
null |
no |
| elasticache_subnet_group_tags | Additional tags for the elasticache subnet group | map(string) |
{} |
no |
| elasticache_subnet_ipv6_prefixes | Assigns IPv6 elasticache subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| elasticache_subnet_suffix | Suffix to append to elasticache subnets name | string |
"elasticache" |
no |
| elasticache_subnet_tags | Additional tags for the elasticache subnets | map(string) |
{} |
no |
| elasticache_subnets | A list of elasticache subnets | list(string) |
[] |
no |
| enable_classiclink | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool |
null |
no |
| enable_classiclink_dns_support | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool |
null |
no |
| enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool |
false |
no |
| enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | bool |
false |
no |
| enable_dns_support | Should be true to enable DNS support in the VPC | bool |
true |
no |
| enable_flow_log | Whether or not to enable VPC Flow Logs | bool |
false |
no |
| enable_ipv6 | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | bool |
false |
no |
| enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool |
false |
no |
| enable_public_redshift | Controls if redshift should have public routing table | bool |
false |
no |
| enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool |
false |
no |
| external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) |
[] |
no |
| external_nat_ips | List of EIPs to be used for nat_public_ips output (used in combination with reuse_nat_ips and external_nat_ip_ids) |
list(string) |
[] |
no |
| flow_log_cloudwatch_iam_role_arn | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow_log_destination_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | string |
"" |
no |
| flow_log_cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data for VPC flow logs. | string |
null |
no |
| flow_log_cloudwatch_log_group_name_prefix | Specifies the name prefix of CloudWatch Log Group for VPC flow logs. | string |
"/aws/vpc-flow-log/" |
no |
| flow_log_cloudwatch_log_group_retention_in_days | Specifies the number of days you want to retain log events in the specified log group for VPC flow logs. | number |
null |
no |
| flow_log_destination_arn | The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided. | string |
"" |
no |
| flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs. | string |
"cloud-watch-logs" |
no |
| flow_log_file_format | (Optional) The format for the flow log. Valid values: plain-text, parquet. |
string |
"plain-text" |
no |
| flow_log_hive_compatible_partitions | (Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. | bool |
false |
no |
| flow_log_log_format | The fields to include in the flow log record, in the order in which they should appear. | string |
null |
no |
| flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: 60 seconds or 600 seconds. |
number |
600 |
no |
| flow_log_per_hour_partition | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. | bool |
false |
no |
| flow_log_traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | string |
"ALL" |
no |
| igw_tags | Additional tags for the internet gateway | map(string) |
{} |
no |
| instance_tenancy | A tenancy option for instances launched into the VPC | string |
"default" |
no |
| intra_acl_tags | Additional tags for the intra subnets network ACL | map(string) |
{} |
no |
| intra_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | bool |
false |
no |
| intra_inbound_acl_rules | Intra subnets inbound network ACLs | list(map(string)) |
[ |
no |
| intra_outbound_acl_rules | Intra subnets outbound network ACLs | list(map(string)) |
[ |
no |
| intra_route_table_tags | Additional tags for the intra route tables | map(string) |
{} |
no |
| intra_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| intra_subnet_ipv6_prefixes | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| intra_subnet_suffix | Suffix to append to intra subnets name | string |
"intra" |
no |
| intra_subnet_tags | Additional tags for the intra subnets | map(string) |
{} |
no |
| intra_subnets | A list of intra subnets | list(string) |
[] |
no |
| manage_default_network_acl | Should be true to adopt and manage Default Network ACL | bool |
false |
no |
| manage_default_route_table | Should be true to manage default route table | bool |
false |
no |
| manage_default_security_group | Should be true to adopt and manage default security group | bool |
false |
no |
| manage_default_vpc | Should be true to adopt and manage Default VPC | bool |
false |
no |
| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool |
true |
no |
| name | Name to be used on all the resources as identifier | string |
"" |
no |
| nat_eip_tags | Additional tags for the NAT EIP | map(string) |
{} |
no |
| nat_gateway_tags | Additional tags for the NAT gateways | map(string) |
{} |
no |
| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs. |
bool |
false |
no |
| private_acl_tags | Additional tags for the private subnets network ACL | map(string) |
{} |
no |
| private_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | bool |
false |
no |
| private_inbound_acl_rules | Private subnets inbound network ACLs | list(map(string)) |
[ |
no |
| private_outbound_acl_rules | Private subnets outbound network ACLs | list(map(string)) |
[ |
no |
| private_route_table_tags | Additional tags for the private route tables | map(string) |
{} |
no |
| private_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| private_subnet_ipv6_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| private_subnet_suffix | Suffix to append to private subnets name | string |
"private" |
no |
| private_subnet_tags | Additional tags for the private subnets | map(string) |
{} |
no |
| private_subnets | A list of private subnets inside the VPC | list(string) |
[] |
no |
| propagate_intra_route_tables_vgw | Should be true if you want route table propagation | bool |
false |
no |
| propagate_private_route_tables_vgw | Should be true if you want route table propagation | bool |
false |
no |
| propagate_public_route_tables_vgw | Should be true if you want route table propagation | bool |
false |
no |
| public_acl_tags | Additional tags for the public subnets network ACL | map(string) |
{} |
no |
| public_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | bool |
false |
no |
| public_inbound_acl_rules | Public subnets inbound network ACLs | list(map(string)) |
[ |
no |
| public_outbound_acl_rules | Public subnets outbound network ACLs | list(map(string)) |
[ |
no |
| public_route_table_tags | Additional tags for the public route tables | map(string) |
{} |
no |
| public_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| public_subnet_ipv6_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| public_subnet_suffix | Suffix to append to public subnets name | string |
"public" |
no |
| public_subnet_tags | Additional tags for the public subnets | map(string) |
{} |
no |
| public_subnets | A list of public subnets inside the VPC | list(string) |
[] |
no |
| redshift_acl_tags | Additional tags for the redshift subnets network ACL | map(string) |
{} |
no |
| redshift_dedicated_network_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | bool |
false |
no |
| redshift_inbound_acl_rules | Redshift subnets inbound network ACL rules | list(map(string)) |
[ |
no |
| redshift_outbound_acl_rules | Redshift subnets outbound network ACL rules | list(map(string)) |
[ |
no |
| redshift_route_table_tags | Additional tags for the redshift route tables | map(string) |
{} |
no |
| redshift_subnet_assign_ipv6_address_on_creation | Assign IPv6 address on redshift subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool |
null |
no |
| redshift_subnet_group_name | Name of redshift subnet group | string |
null |
no |
| redshift_subnet_group_tags | Additional tags for the redshift subnet group | map(string) |
{} |
no |
| redshift_subnet_ipv6_prefixes | Assigns IPv6 redshift subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | list(string) |
[] |
no |
| redshift_subnet_suffix | Suffix to append to redshift subnets name | string |
"redshift" |
no |
| redshift_subnet_tags | Additional tags for the redshift subnets | map(string) |
{} |
no |
| redshift_subnets | A list of redshift subnets | list(string) |
[] |
no |
| reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool |
false |
no |
| secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) |
[] |
no |
| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool |
false |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| vpc_flow_log_permissions_boundary | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | string |
null |
no |
| vpc_flow_log_tags | Additional tags for the VPC Flow Logs | map(string) |
{} |
no |
| vpc_tags | Additional tags for the VPC | map(string) |
{} |
no |
| vpn_gateway_az | The Availability Zone for the VPN Gateway | string |
null |
no |
| vpn_gateway_id | ID of VPN Gateway to attach to the VPC | string |
"" |
no |
| vpn_gateway_tags | Additional tags for the VPN gateway | map(string) |
{} |
no |
| Name | Description |
|---|---|
| vpc | VPC and subnet attributes |