From 796fb9f611aed4e94cc34c2bc63e9db9b8059586 Mon Sep 17 00:00:00 2001 From: Frederic Giloux Date: Mon, 4 Nov 2024 09:42:04 +0100 Subject: [PATCH 1/2] feat: Make it possible to select availability zones This introduces a variable that allows the selection of availability zones. This is useful when some instance types, e.g. m5zn.metal are only available in certain availability zones. If no value is specified the default behaviour stays the same and all availability zones in the region are considered. Signed-off-by: Frederic Giloux --- locals.tf | 1 + main.tf | 28 ++++++++++++++-------------- variables.tf | 12 +++++++++++- 3 files changed, 26 insertions(+), 15 deletions(-) diff --git a/locals.tf b/locals.tf index 0a506e0..02956b2 100644 --- a/locals.tf +++ b/locals.tf @@ -1,3 +1,4 @@ locals { bastion_host_key_pair_name = "${var.name}-bastion" + availability_zones = length(var.availability_zones) > 0 ? var.availability_zones : data.aws_availability_zones.available.names } diff --git a/main.tf b/main.tf index f33bcc0..ba7fdf6 100644 --- a/main.tf +++ b/main.tf @@ -22,16 +22,16 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.0" - azs = data.aws_availability_zones.available.names // Use all availability zones. - cidr = var.cidr // Use the CIDR specified as a variable. - enable_dns_hostnames = true // Enable DNS hostnames (required by EKS). - enable_nat_gateway = true // Enable NAT gateway to enable outbound internet traffic from instances in a private subnet. - name = var.name // Use the name specified as a variable. - one_nat_gateway_per_az = false // Use a single NAT gateway as that's the simplest and also all we need. - secondary_cidr_blocks = var.secondary_cidr_blocks // Define secondary CIDR blocks. - single_nat_gateway = true // Use a single NAT gateway as that's the simplest and also all we need. - tags = var.tags // Use the tags specified as a variable. - map_public_ip_on_launch = var.map_public_ip_on_launch // Map public IP on launch for instances in public subnets. + azs = local.availability_zones // Use selected availability zones. + cidr = var.cidr // Use the CIDR specified as a variable. + enable_dns_hostnames = true // Enable DNS hostnames (required by EKS). + enable_nat_gateway = true // Enable NAT gateway to enable outbound internet traffic from instances in a private subnet. + name = var.name // Use the name specified as a variable. + one_nat_gateway_per_az = false // Use a single NAT gateway as that's the simplest and also all we need. + secondary_cidr_blocks = var.secondary_cidr_blocks // Define secondary CIDR blocks. + single_nat_gateway = true // Use a single NAT gateway as that's the simplest and also all we need. + tags = var.tags // Use the tags specified as a variable. + map_public_ip_on_launch = var.map_public_ip_on_launch // Map public IP on launch for instances in public subnets. enable_ipv6 = var.enable_ipv6 // this will provide Amazon-provided IPv6 CIDR block which is a /56 block public_subnet_assign_ipv6_address_on_creation = var.enable_ipv6 // this will help the EC2 to get the IPV6 address when it boots @@ -40,7 +40,7 @@ module "vpc" { // Create one private subnet per AZ (e.g. "10.1.0.0/24", "10.1.1.0/24", "10.1.2.0/24", ...). // This could surely have been made differently (possibly even sourced from a variable), but it suffices for the time being. private_subnets = [ - for i, v in data.aws_availability_zones.available.names : + for i, v in local.availability_zones : cidrsubnet(var.cidr, 8, i) ] // Tag the private subnets adequately. @@ -56,7 +56,7 @@ module "vpc" { // Create one public subnet per AZ (e.g. "10.1.100.0/24", "10.1.101.0/24", "10.1.102.0/24", ...). // This could surely have been made differently (possibly even sourced from a variable), but it suffices for the time being. public_subnets = [ - for i, v in data.aws_availability_zones.available.names : + for i, v in local.availability_zones : cidrsubnet(var.cidr, 8, 100 + i) ] // Tag the public subnets adequately. @@ -69,11 +69,11 @@ module "vpc" { ) //This is needed when enabling the IPV6 but will not hurt when the IPV6 is not enabled. private_subnet_ipv6_prefixes = [ - for i, v in data.aws_availability_zones.available.names : + for i, v in local.availability_zones : i ] public_subnet_ipv6_prefixes = [ - for i, v in data.aws_availability_zones.available.names : + for i, v in local.availability_zones : 10 + i ] diff --git a/variables.tf b/variables.tf index cd8861e..e2dea9e 100644 --- a/variables.tf +++ b/variables.tf @@ -12,6 +12,16 @@ // See the License for the specific language governing permissions and // limitations under the License. +variable "availability_zones" { + # Usage: -var 'availability_zones=["us-east-1a"]' + description = <<-EOT + List of availability zone names that subnets can get deployed into. + If not provided, defaults to all AZs for the region. + EOT + type = list(string) + default = [] +} + variable "additional_private_subnet_tags" { description = "Additional tags for the private subnets" type = map(string) @@ -168,4 +178,4 @@ variable "map_public_ip_on_launch" { default = false description = "Whether to map public IPs on launch." type = bool -} \ No newline at end of file +} From 3c12df8d5778f9da4379d483893125db5fcc80a7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 4 Nov 2024 09:04:01 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b46c19c..5efaa67 100644 --- a/README.md +++ b/README.md @@ -47,17 +47,18 @@ An opinionated Terraform module that can be used to create and manage an VPC in | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_private\_subnet\_tags](#input\_additional\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no | -| [additional\_private\_subnets](#input\_additional\_private\_subnets) | Additional private subnets to create. | 
list(object({
    availability_zone = string
    cidr              = string
    tags              = map(string)
  }))
| `[]` | no | +| [additional\_private\_subnets](#input\_additional\_private\_subnets) | Additional private subnets to create. | 
list(object({
    availability_zone = string
    cidr              = string
    tags              = map(string)
  }))
| `[]` | no | | [additional\_public\_subnet\_tags](#input\_additional\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no | -| [additional\_public\_subnets](#input\_additional\_public\_subnets) | Additional public subnets to create. | 
list(object({
    availability_zone = string
    cidr              = string
    tags              = map(string)
  }))
| `[]` | no | +| [additional\_public\_subnets](#input\_additional\_public\_subnets) | Additional public subnets to create. | 
list(object({
    availability_zone = string
    cidr              = string
    tags              = map(string)
  }))
| `[]` | no | +| [availability\_zones](#input\_availability\_zones) | List of availability zone names that subnets can get deployed into.
If not provided, defaults to all AZs for the region. | `list(string)` | `[]` | no | | [bastion\_host\_ami\_id](#input\_bastion\_host\_ami\_id) | The ID of the AIM to use for the instance. Setting this will ignore `bastion_host_ami_name_filter` and `bastion_host_ami_owners`. | `string` | `null` | no | | [bastion\_host\_ami\_name\_filter](#input\_bastion\_host\_ami\_name\_filter) | The AMI filter to use for the bastion host's AMI. | `string` | `"amzn2-ami-hvm-2.*-x86_64-ebs"` | no | -| [bastion\_host\_ami\_owners](#input\_bastion\_host\_ami\_owners) | The list of owners used to select the AMI. | `list(string)` | 
[
  "amazon"
]
| no | +| [bastion\_host\_ami\_owners](#input\_bastion\_host\_ami\_owners) | The list of owners used to select the AMI. | `list(string)` | 
[
  "amazon"
]
| no | | [bastion\_host\_assign\_public\_ip](#input\_bastion\_host\_assign\_public\_ip) | Whether to assign a public IP address to the bastion host. | `bool` | `false` | no | | [bastion\_host\_enabled](#input\_bastion\_host\_enabled) | Whether to create an EC2 instance in the VPC that can be used as a bastion host. | `bool` | `false` | no | | [bastion\_host\_extra\_security\_groups](#input\_bastion\_host\_extra\_security\_groups) | A list of extra security groups to associate with the bastion host. | `list(string)` | `[]` | no | | [bastion\_host\_instance\_type](#input\_bastion\_host\_instance\_type) | The instance type to use for the bastion host. | `string` | `"t2.micro"` | no | -| [bastion\_host\_security\_group\_rules](#input\_bastion\_host\_security\_group\_rules) | A list of security group rules to apply to the bastion host. | `list(any)` | 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all outbound traffic",
    "from_port": 0,
    "protocol": -1,
    "to_port": 0,
    "type": "egress"
  },
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all inbound to SSH",
    "from_port": 22,
    "protocol": "tcp",
    "to_port": 22,
    "type": "ingress"
  }
]
| no | +| [bastion\_host\_security\_group\_rules](#input\_bastion\_host\_security\_group\_rules) | A list of security group rules to apply to the bastion host. | `list(any)` | 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all outbound traffic",
    "from_port": 0,
    "protocol": -1,
    "to_port": 0,
    "type": "egress"
  },
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "Allow all inbound to SSH",
    "from_port": 22,
    "protocol": "tcp",
    "to_port": 22,
    "type": "ingress"
  }
]
| no | | [bastion\_host\_ssh\_public\_key](#input\_bastion\_host\_ssh\_public\_key) | If specified, will be used as the public SSH key for the bastion host. | `string` | `""` | no | | [bastion\_host\_user\_data](#input\_bastion\_host\_user\_data) | The user data to use for the bastion host. | `list(string)` | `[]` | no | | [bastion\_host\_user\_data\_base64](#input\_bastion\_host\_user\_data\_base64) | The user data to use for the bastion host, base64 encoded. | `string` | `""` | no |